Controls Design for Efficient Compliance with Sarbanes-Oxley's Section 404

October 2005

Designing good, efficient, easily audited internal controls—as opposed to letting controls happen then auditing people into a stupor—has always been the smart way to comply with internal control regulations, including the infamous Sections 302 and 404 of the Sarbanes-Oxley Act of 2002, and the United Kingdom's less demanding Turnbull report.

by Matthew Leitch

It's certainly better than letting your internal control system be dictated by the simplistic checklists of auditors and the sales literature of information technology (IT) vendors.

Earlier this year, guidance issued by the Public Company Accounting Oversight Board (PCAOB), which sets standards for external audit against Section 404, further underlined the potential impact of clever controls design. On May 16, 2005, the PCAOB issued two documents (in a coordinated release with the Securities Exchange Commission) that aimed to encourage companies and their auditors to implement the regulations more intelligently and in a less costly way. (Cynics would say the regulators sought to defend their own rules by slapping the wrists of the big four audit firms by contradicting several of the things they had been telling their clients over the preceding year and a half.)

Within the staff questions and answers document, at answer 47, they say:

• … management might be able to determine that controls operate effectively through its direct and ongoing monitoring of the operation of controls. This determination might be accomplished through performing regular management and supervisory activities, monitoring adherence to policies and procedures, and performing other routine actions. For instance, a supervisor's review of a monthly account reconciliation prepared by one of his or her subordinates could be a monitoring control that also provides management with evidence supporting its assessment of internal control over financial reporting, if the results of the supervisor's review were evaluated and documented as part of management's assessment. To appropriately evaluate the adequacy of management's assessment as directed by the standard, the auditor needs to recognize these other types of procedures that are available to management as part of the basis for its assessment.

Later, the PCAOB explains that if a control is tested by the person that performs it, then this is self-assessment, and the external auditor cannot rely on it and reduce his/her work accordingly. However, if the test is performed by someone other than the person who performs the work, then this is not self-assessment and there is scope for external audit reliance.

In other words, companies that design the routine supervision aspect of internal controls appropriately might achieve a high proportion of compliance with no further effort. (Exactly how far this can be taken is not known.)

To set the scene for a detailed examination of the design of supervision, let's first review some of the other ways that good internal controls design can help with internal controls compliance.

Lines of Defense

A common beginner's mistake is to imagine that internal controls meet control objectives (or risks if you prefer) one by one. The reality is quite different. Most controls address many risks, while most risks are met by several controls. I often think of layers of controls or lines of defense. Few controls are completely effective so multiple layers act like filters to cut down the risks in stages.

Audit documentation tends to understate this multilayered nature so it is important in controls design work to document designs so that the full system is visible.

Automated "Killer" Controls

Having said that control systems are multilayered, it still makes sense to pick out certain controls and try to make them the ones that get the most focus from auditors. These controls will usually be automated detective controls with a wide span that sit one on top of lots of other controls and prove they worked. Done correctly, these controls make testing others virtually pointless and so cut audit costs.

For example, the PCAOB's auditing standard 2 describes auditors checking that compiled software files on a live system have the same dates and sizes as the software vendor says they should have. What a tedious test, but surely one that can be scripted and done as often as desired. It would provide evidence that a range of controls over software change has operated effectively.

If company security policies for servers have been defined in terms of the specific parameters to be set, then these can be checked across many servers quickly and automatically. Other examples include overall reconciliations between accounts, files, or databases, and automated comparisons of details between files or databases.

Dynamic anomaly and pattern recognition software can be used to filter for new forms of error. The software uses statistical learning to identify typical record values, and their combinations, then searches for unusual transactions.

Measurement for Management

Every large scale, high volume business/accounting process should have an owning group that gets together regularly to study statistics about the health of the process, including its error rates, backlogs, volumes, speeds, IT support issues, and staffing. Their role should include systematically analyzing the causes of problems and taking actions to remove or reduce those causes.

This activity, and the supporting reports, improve control and provide easily accessed evidence that control checks have operated (otherwise numbers would be missing from the report) and that the control system is effective or not (which is what the numbers show). A well-designed process health report (what bankers call an operational risk KRI report) will show time series and use graphs to help people understand how things have unfolded over time.

Design for Inherent Reliability

In high volume, large scale business/accounting processes, the efficient approach is almost always to stop errors from happening in the first place. This requires design for inherent reliability.

This is not quite the same as using "preventive" controls. "Preventive" traditionally means controls performed before data is entered into a computer system. Many so-called preventive controls are checks for errors or fraud that have already occurred.

Increasing inherent reliability means making errors and fraud arise less frequently. Usually this is accomplished by good ergonomics, software bug removal, and control checks in supporting processes. People often omit ergonomic improvements but this is due to ignorance of ergonomics, not because the improvements are unimportant or hard to do.

Ultra low error rates that have been measured by high-powered automated checks, reported, and tracked, are extremely reassuring for everyone, including external auditors.

Looking to the Future

Things change and controls get out-of-date unless they are adapted to meet new conditions and requirements. This process is itself a control to be designed, implemented, operated, assessed, and audited.

Faced with any form of planned or anticipated change or trend, the process should identify the main types of control mechanisms that are likely to need revision and direct the right kind of resources to do the work in adequate time. Remedial work cannot be completely eliminated because no controls design is perfect first time, and all need to be tuned in the light of experience. However, most companies today rely much too heavily on after-the-event audit work to tell them when controls work is needed.

Supervision and Compliance

Let's return, now, to supervision. The main design constraints from the PCAOB are simple:

• Someone other than the person who performs a control should look to see that it has been performed, and performed effectively.

• This should happen often enough to be useful and especially near the financial year-end.

• Evidence of this "testing" should be kept and brought into management's overall assessment of the effectiveness of internal control over financial reporting.

Let's imagine the underlying control is a set of five daily bank reconciliations performed by an accounts clerk. Currently paper copies of these are all initialed by the assistant head of treasury, and that's it.

From a control point of view, this is disappointing because potential information from the control check is not being picked up or passed on. The opportunity to identify process and system flaws and remove them is being missed. We have no visibility of process health. We also have little idea how thorough the assistant's review is before the initials are scribbled on the paper.

From a compliance point of view, this is also a missed opportunity because the assurance goes no further than the Assistant. There is little alternative but for auditors to test the Assistant and the clerk in some detail.

What can we change? Here are some suggestions.

• Revise the layout and descriptions of the reconciliations to improve clarity. (For some reason, most reconciliations are unnecessarily baffling, so when the work is eventually passed to another clerk, there is a risk of error.)

• Classify reconciling items into "normal" versus various grades of problem including bank error, our error, unidentified item, and so on.

• Require the clerk to record the numbers of each item type and to report verbally or in writing on new types of problem and their apparent causes (and even possible preventive measures).

• Reconciliation results are captured in the system used to process health reporting, along with the assistant's review—probably a confirmation and some remarks about issues uncovered. (This is copied into management's assessment of internal control for compliance purposes.)

• Require that once a week the assistant sit with the clerk to study the reconciliations in more than usual detail and understand any problems arising in their completion. Ideally this will not be the same day each week.

• Require the assistant to report the problem grade stats regularly to the boss, the treasurer, who reports them on (in a cut down form along with other stats covering other activities) to their boss, the chief accountant, who pulls them into an overall review and assessment monthly for the CFO's internal controls committee.

• The stats and notable problems to the process health are reported to the team meeting via the end-to-end process health monitoring report.

• Require that at every level in this organization pyramid there are occasional coaching meetings where the effectiveness of routine control activities (including supervisory activities) is tested and assessed.

Now we have a pyramid of supervision helped by central capture of evidence, and suffused with process health information.

Treat People Like People

Traditional internal control theory sees no problem in treating every employee as if they are work-shy, dishonest, incompetent, or all three. While a very few employees are like this, most are not and feel distrusted and insulted by their employer unless treated with more respect. This is a fundamental problem for internal controls design and not one we can shrug off, saying "Well, we've just got to do this because it's the law."

Some helpful tactics are as follows:

• Restrict this kind of supervision to activities that require high reliability. Don't apply it to everything.

• Focus on the error prevention motives when promoting the procedures. Don't go on about fraud, but do design against it. People should be motivated to comply with anti-fraud controls because most are designed to put honest employees above suspicion.

• Talk about quality rather than control. Most people prefer it, and some companies have a strong cultural preference for this language.

• Make sure that the employee is being asked for their contribution to building a better company and improving their job. An unhealthy conversation is one where the supervisor simply demands confirmation that work has been completed with no outstanding problems. A healthy conversation is one where the supervisor asks to be shown what has been done and what has been learned by it, including lessons about systems and procedures, the impact of behavior in other departments, and so on. In a healthy conversation, the employee feels a valued contributor, yet the meaningful exchange that results is much harder for a cheating employee to fake.

Summary

Well-designed internal controls can lighten the regulatory burden, reduce errors and fraud, and still leave people feeling like people. The PCAOB has opened the door to more enlightened compliance, and I urge all companies to take the opportunity offered.

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.