moving forward–a guide to improving corporate … forward–a guide to improving corporate...
TRANSCRIPT
Moving Forward–A Guide to Improving CorporateGovernance Through Effective Internal Control
A Response to Sarbanes-Oxley
Note to Readers Regarding This First Edition – January 2003:
This document was published before the SEC had fully promulgated its Sarbanes-Oxley rules. As a result, subsequent actions by the SEC may substantially alter the accuracy and validity of the material presented herein. Contact your Deloitte & Touche advisor for more information.
2
Moving ForwardA Guide to Improving Corporate GovernanceThrough Effective Internal Control:A Response to Sarbanes-Oxley
Table of Contents3 Executive Summary
6 Obligations and Opportunities
7 Linking Governance To Control Activities
9 Step 1: Start With the End in Mind
0 • Section 302: Your Quarterly and Annual Certification of Disclosure Controls and Procedures
0 • Section 404: Your Annual Assessment of Internal Controls and Procedures for Financial Reporting
0 • 302 Plus 404 Equals 1
13 Step 2: Commit and Organize
0 • Take Stock
0 • Commit to the Task
0 • Form a Steering Committee
15 Step 3: Select a Suitable Internal Control Framework
0 • Internal Control According to COSO
17 Step 4: Empower the Disclosure Committee
20 Step 5: Establish an Internal Control Program
0 • Plan the Project
0 • Assess the Control Environment
0 • Define the Scope
0 • Build a Controls Repository
0 • Perform Initial and Ongoing Tests
0 • Monitor
26 Enabling Technologies to Achieve Results
27 Conclusion
28 Epilogue: Sustaining Momentum
29 Appendix A: Compliance Checklist
3
The Sarbanes-Oxley Act of 2002 has literally rewrittenthe rules for corporate governance, disclosure, andreporting. Yet beneath the act’s myriad pages oflegalese lies a simple premise: Good corporate gover-nance and ethical business practices are no longerniceties — they are the law.
Internal ControlRecent business scandals have found executives testi-fying that they were “unaware” of dubious activities —off-the-book partnerships, improper revenue recogni-tion, etc. — carried on by their companies. Sarbanes-Oxley aims to discourage such claims through a num-ber of measures that will strengthen internal checksand balances and enhance accountability.
Most notably, Sarbanes-Oxley focuses heavily on thecritical role of “internal control.” Internal control is aprocess effected by a company’s board of directors,management, and other personnel that drives busi-ness success in three categories:
• effectiveness and efficiency of operations;
• reliability of financial reporting;
• compliance with applicable laws and regulations.
Sarbanes-Oxley makes CEOs and CFOs explicitlyresponsible for establishing, evaluating, and monitor-ing the effectiveness of internal control over financialreporting and disclosure.
The new and proposed SEC rules that effectSarbanes-Oxley are undeniably complicated, andimplementation will be both time-consuming andcostly, but there are a few mitigating factors:
1. Virtually all public companies already have somesemblance of an internal control structure in place,although it may be informal and not sufficientlydocumented.
2. Many companies will be able to tailor existingprocesses to comply with the internal control pro-visions of Sarbanes-Oxley.
3. Setting up a strong internal control structure tomeet the mandates of the act can provide benefitswell beyond compliance. Indeed, the potential to
revise and realize new corporate visions andachieve new levels of corporate excellenceabounds.
Some observers have described Sarbanes-Oxley as themost significant piece of business legislation in thelast half-century. The point may be arguable, but thisfact is not: Sarbanes-Oxley fundamentally changesthe business and regulatory environment, and publiccompanies can’t afford to underestimate the taskahead. The clock is ticking on compliance and anydelays in dealing with the issue may have seriousconsequences. Immediate and decisive action isrequired.
Critical SectionsMuch of the discussion surrounding Sarbanes-Oxleyhas focused on Sections 302 and 404, as will thispublication.
Under Section 302, CEOs and CFOs must personallycertify that they are responsible for disclosure con-trols and procedures. Each quarterly filing must con-tain a certification that they have performed an eval-uation of the design and effectiveness of these con-trols. The certifying executives must also state thatthey have disclosed to their audit committee andindependent auditor any significant control deficien-cies, material weaknesses, and acts of fraud. TheSEC has also proposed an expanded certificationrequirement that includes internal controls and pro-cedures for financial reporting, in addition to therequirement related to the disclosure controls andprocedures.
Section 404 mandates an annual evaluation of internalcontrols and procedures for financial reporting. Inaddition, the company’s independent auditor mustissue a separate report that attests to management’sassertion on the effectiveness of internal controls andprocedures for financial reporting.
Steps Toward Developing an Internal Control ProgramWe recommend the following steps for developing aninternal control program to address these provisionsof Sarbanes-Oxley:
Executive Summary
4
1Start With the End in MindSome companies have adopted a strategy thatprioritizes compliance with Section 302 over that
of Section 404, under the rationalization thatSection 302 is already in force and Section 404 won’tapply until late 2003. Yet we believe that separatelyaddressing these two sections of the act constitutesan inefficient process. Quite simply: The mandates of both sections can be addressed through a singlemethodology.
2Commit and OrganizeUnderstanding how Sarbanes-Oxley applies toyour company — based on its business charac-
teristics — can aid in the development of your inter-nal control program. Many factors will come intoplay. For example, larger companies will face chal-lenges distinct from those of smaller enterprises.Also, the extent to which you already have a stronginternal control framework in place will have signifi-cant bearing on your activities.
Three groups will play a prominent role: the board ofdirectors, which oversees the company’s commitmentto the task; the CEO and CFO, who acknowledgeresponsibility for ensuring compliance and commu-nicate this information to key management andemployees; and the steering committee, which over-sees and coordinates Sarbanes-Oxley activities acrossthe organization.
3Select a Suitable Internal ControlFrameworkTo meet the objectives of the act, many compa-
nies build their internal control structure around therecommendations of the Committee of SponsoringOrganizations of the Treadway Commission (COSO).While other frameworks for internal control exist, webelieve COSO will become the dominant model, andwe recommend its adoption.
The COSO framework breaks effective internal con-trol into five interrelated components:
>Control Environment – the foundation for all otherelements of internal control, which includes theethical values and competence of the company’semployees.
>Risk Assessment – the identification and analysis of
relevant risks that can hinder the achievement ofbusiness objectives.
>Control Activities – specific tasks to mitigate each ofthe risks identified above.
>Information and Communication – informationpathways from management to employees and vice versa.
>Monitoring – the evaluation and assessment ofinternal control.
4Empower the Disclosure CommitteeThe formation of a disclosure committee repre-sents one of the most important controls that a
company can implement. The disclosure committeeperforms numerous functions, including reviewingSEC filings, recommending parameters for disclo-sure, overseeing disclosure processes, and reviewingcontrol deficiencies and material weaknesses with theCEO and CFO.
5Establish an Internal Control Program For this labor-intensive step, a number ofactions are required:
>Plan the Project – We recommend forming an inter-nal control program management team to establishor strengthen the internal control program. Smallerenterprises may be able to redeploy, on a part-timebasis, existing staff. Larger companies may need ded-icated full-time personnel.
>Assess the Control Environment – Forming thefoundation of internal control, the control environ-ment includes such elements as integrity, ethicalvalues, and competence; management’s philosophyand operating style; delegation of authority andresponsibility; and the direction provided by theboard of directors. A cultural assessment can aid inunderstanding and documenting your existing con-trol environment.
>Define the Scope – The goal of the scope definitionprocess is to identify financial reporting and disclo-sure risks. This will allow efforts to be prioritized andfocused.
>Build a Controls Repository – The controls reposito-ry serves as a clearinghouse for all information andactivities related to internal control, containing docu-
5
mentation on control objectives, design, and implementation as well asmethods for testing the operating effectiveness of such activities.
>Perform Initial and Ongoing Tests – The operating effectiveness of thecontrol activities should be evaluated by various parties, including theindividuals responsible for the controls and the internal control programmanagement team.
>Monitor – The internal audit function should monitor the effectivenessof the entire internal control program and infrastructure. (Companieswithout an internal audit function may consider using the internal controlprogram management team to perform these activities.)
Enabling Technologies to Achieve ResultsA variety of tools can aid in the development of an internal control pro-gram. Database programs and proprietary tools can be used to documentcontrol objectives, processes, and activities; can help to identify gaps andtrack actions to remediate deficiencies; and can support self-assessmentand monitoring activities.
ConclusionParallels can be drawn between the effect of the Sarbanes-Oxley Act of2002 on public companies and the impact of the Federal DepositInsurance Corporation Improvement Act of 1991 (FDICIA) on the bank-ing industry: Both statutes introduced regulations to remedy perceivedmarket failures and each enacted significant new reporting require-ments. There are several lessons public companies can learn from theFDICIA example.
1. Accept that the environment has profoundly changed. Companiesmust recognize that they operate in a new environment — one thatdemands more effort and accountability.
2. Promote understanding of internal control within the organization.Companies may be tempted to show superficial compliance withSarbanes-Oxley, but such an approach may backfire if controls failbecause form was stressed over substance.
3. Factor into your business model the cost of developing an internalcontrol program. Good internal control is not a one-time expense;rather, it fundamentally changes the cost of doing business.
Recent events have placed us in a unique period in the history ofAmerican business. The call for corporate responsibility has never beengreater. The need to link sound corporate governance to effective controlactivities has never been clearer. And in terms of restoring public confi-dence in the financial markets, there has never been more at stake.Forward-thinking companies and executives will seize the opportunity.Those who fail to act may pay a heavy price.
6
Obligations and Opportunities
In July 2002, President George W. Bush signed theSarbanes-Oxley Act into law and into the collectiveconsciousness of business leaders and governmentofficials around the world. Replete with accounting,disclosure, and corporate governance reforms, thisstatute seeks, in tangible ways, to “repair” the pub-lic’s lost faith in our country’s business leaders, andto re-emphasize the importance of ethical standardsin the preparation of financial information reportedto investors.
Sarbanes-Oxley and related rules issued by theSecurities and Exchange Commission are complexlaws and regulations that have engendered confusionand consternation in the business community. Butbehind all the rules and requirements, the certifica-tion of “this” and the attestation to “that,” theSarbanes-Oxley Act is simply government’s way ofputting legal teeth into the basic precepts of good cor-porate governance and ethical business practices.Sarbanes-Oxley codifies the view that company man-agement should be aware of material informationthat is filed with the SEC and released to investors,and should be held accountable for the fairness, thor-oughness, and accuracy of this information.
Many observers believe that instituting these newprocedures for internal control and executive certifi-cation represents an essential course correction forpublic companies, mandating processes that compa-nies should have considered adopting in the firstplace. Similarly, other pundits contend that focusingon good corporate governance and transparency offinancial information simply makes sound businesssense. But the new rules come at a cost: Thesechanges will necessitate significant alterations in theprocedures and practices, as well as the day-to-daylives, of many senior executives and the peoplereporting to them. Yet most companies won’t need tostart from scratch: Many will be able to tailor theirexisting processes to comply with the internal controlrequirements of Sarbanes-Oxley.
Perhaps the most important realization is that theplaying field has changed dramatically — and perma-nently. For a public company, compliance underSarbanes-Oxley is non-negotiable; if you are “unhap-py” with the provisions, you can’t simply pick up yourball and go home. (Unless, of course, you choose analternative strategy — taking your company private.)For audit committees and senior management ofpublic companies, particularly CEOs and CFOs, thedefinitions of financial stewardship and personalaccountability have been made more explicit and thestakes significantly higher.
Your obligations are clear but so are your opportuni-ties. By effectively navigating this new landscape, thepotential to revise and realize new corporate visions andachieve new levels of corporate excellence abounds.Forward-thinking executives will endeavor to harnessthe mandated changes to drive better business per-formance.
Private companies, although not legally obligated tocomply with the act, may also choose to adopt certaincomponents as part of an overall plan to improvebusiness operations.
This document focuses heavily, as does Sarbanes-Oxley itself, on internal control. But readers shouldbe aware that internal control makes up just one ofthe many components of good corporate governance.Numerous other considerations also come into play:integrity and ethical values; management philosophyand operating style; organizational structure; well-delineated roles and responsibilities for boards, man-agement, and employees; commitment to excellence;effective and proactive boards and committees; andmany more.
As a steward of your company, it behooves you totreat Sarbanes-Oxley compliance as a top priority.This new emphasis on internal control and transpar-ent disclosure is no passing fad. Sarbanes-Oxley fun-damentally changes your world, and you can’t affordto underestimate the task before you. Immediateaction is required.
Moving Forward
7
Many of the provisions of the act are still in their formative stages, and new rules and regulations will be prom-ulgated. Undoubtedly, the effects of the Sarbanes-Oxley Act will be felt well into the future.
Linking Governance To Control ActivitiesThe Sarbanes-Oxley Act makes company executives explicitlyresponsible for establishing, evaluating, and monitoring the effec-tiveness of their company’s internal control structure. For manyexecutives, the intricacies of compliance and the implications offailure can be daunting.
Yet the situation may not be as dire as imagined. That’s becausealmost every public company already has in place some semblanceof an internal control structure. For example, whenever a memberof the finance department uses a unique password to gain accessto the company’s financial system, a control is being exerted.
Furthermore, most companies already have implemented some levelof monitoring. For instance, using the example above, whenever asupervisor reviews the user logs to determine that appropriate sys-tem access is being maintained, monitoring is taking place.
Yet while the situation may not be dire, it may be far from opti-mal. At many companies, a significant gap exists between the employees performing control activities andthe executives who make strategic governance decisions.
Certain terms related to internalcontrol arise frequently during dis-cussion of the Sarbanes-Oxley Actand associated SEC regulations.Here are brief definitions of themost commonly used.
Internal Control
The most widely accepted defini-tion of internal control was devel-oped by the Committee ofSponsoring Organizations of theTreadway Commission:
“… a process, effected by an enti-ty’s board of directors, manage-ment, and other personnel,designed to provide reasonableassurance regarding the achieve-ment of objectives in the followingcategories:
• effectiveness and efficiency ofoperations;
• reliability of financial reporting;
• compliance with applicable lawsand regulations.”
Internal Controls and Procedures forFinancial Reporting The SEC has proposed defining inter-nal controls and procedures for finan-cial reporting to mean “controls thatpertain to the preparation of financialstatements for external purposes thatare fairly presented in conformity withgenerally accepted accounting princi-ples.”
Disclosure Controls and ProceduresA term newly introduced by theSEC following the enactment ofSarbanes-Oxley, disclosure controlsand procedures “are designed to
ensure that information required tobe disclosed by a company in thereports filed by it under theExchange Act is recorded,processed, summarized, and report-ed within the time periods speci-fied by the SEC.” This definitionincludes both financial and non-financial disclosures.
Examples of non-financial disclo-sure may include such items as thesigning of a significant contract;developments regarding intellectu-al property; changes in union rela-tionships; termination of a strategicrelationship; legal proceedings; orrequired disclosures in theManagement’s Discussion andAnalysis contained in Forms 10-K,10-Q, and 20-F.
Control Activities
Missing Link:Compliance Program
& Infrastructure
Governance
Defining Controls
8
Most companies do not — nor, before Sarbanes-Oxley, werethey legally obliged to — have a direct link from the gover-nance activities of the board and senior management to thecontrol activities of the organization. But now, becauseSarbanes-Oxley requires top executives to state, for therecord, how well their internal control structure is func-tioning, establishing such a link is crucial to compliance.
The purpose of this document is to provide an overview of an internal control program and infrastructure thatcompanies can tailor to mesh with existing resources, process-es, and technologies, and to provide the missing link that con-nects strong control activities with responsive corporate gover-nance. On the following pages, we will summarize — in plainEnglish — Sections 302 and 404 of Sarbanes-Oxley and somepotential ramifications for your company. We will recommendcommittees to form, principles to observe, and information tocapture, and will help map — step-by-step — a path leading toan enhanced internal control structure.
The benefits may extend far beyond compliance with Sarbanes-Oxley. In fact, a strong internal control structure can help your company:
• make better business decisions with higher quality, moretimely information;
• gain (or regain) investor trust;
• prevent loss of resources;
• comply with applicable laws and regulations;
• gain competitive advantage through streamlined operations.
Conversely, the consequences of failure could be nothingshort of disastrous. Companies that neglect to institute therequired controls may find themselves in situations similar tothose that led to the promulgation of Sarbanes-Oxley in thefirst place, resulting in:
• increased exposure to fraud;
• sanctions from the SEC;
• unfavorable publicity;
• negative impact on shareholder value;
• shareholder lawsuits or other legal actions.
We recommend that, after reading this document, you consultwith legal counsel and your independent auditor to discussthe development of an internal control program customizedto your business.
A strong internal controlstructure can provide benefits well beyond
compliance with Sarbanes-Oxley.
9
To enhance performance, many professional athletes visualize the perfect shot or the perfectswing. This technique can well serve here.
Visualize what your company will look like after your internal control program is operatingsmoothly:
Imagine…
… a strong internal control framework that helps keep your company on course towardgrowth and profitability.
… procedures that allow you to meet significant new reporting and disclosure requirementsmandated by Sarbanes-Oxley.
… a framework that withstands the scrutiny of your independent auditor, the SEC, and other regulatory bodies.
… increased investor confidence in your company.
… your company becoming a recognized leader in corporate governance, known for the quality and integrity of its financial reporting.
… improved flow of information permitting better business decisions.
… a restoration of trust and confidence in the public securities market that was earned bycorporate executives because they took this process seriously and responsibly.
Much of the discussion — and the uncertainty — surrounding Sarbanes-Oxley has focusedon Sections 302 and 404, and rightly so.
Many companies have adopted a strategy that prioritizes compliance with Section 302 overthat of Section 404. Ostensibly, such an approach makes sense. After all, Section 302 isalready in force (since August 2002), whereas Section 404, as proposed, won’t apply untillate 2003.
Yet we believe that separately addressing these two sections of the act constitutes an ineffi-cient and likely counterproductive process. Solid arguments can be made for integrating the
provisions of each into a larger internal control struc-ture robust enough to comply with both Sections 302and 404. We’ll outline that rationale below. But first, abrief summary of each section of the act will help toclarify the discussion.
Section 302: Your Quarterly and Annual Certification ofDisclosure Controls and Procedures Section 302 imposes new levels of accountability onCEOs and CFOs, who now must personally certify thatdisclosure controls and procedures have been imple-mented and evaluated. (The SEC has also proposed anexpanded certification requirement that includes inter-nal controls and procedures for financial reporting, in
Step 1Start With the End in Mind
Section 906: CorporateResponsibility for Financial Reports
Another widely publicized provision of Sarbanes-Oxley — Section 906— took effect in August 2002. This section requires CEOs and CFOs tosign and certify the periodic report containing financial statements. Theexecutive certification states that the report complies with SEC reportingrequirements and fairly represents the company’s financial condition andthe results of its operations. Failure to comply with this requirement car-ries a high price: Fines of up to $5 million and imprisonment for up to 20years can be imposed for knowing or willful failure to comply. This is theprovision that carries the “teeth” of the act.
10
addition to the requirement related to disclosure con-trols and procedures.) Roles have been altered aswell: The CEO must now directly acknowledgeresponsibility for internal control that previously hadbeen largely delegated to the CFO.
With each quarterly and annual filing, the CEO andCFO must certify that they:
• are responsible for disclosure controls and pro-cedures;
• have designed (or supervised the design of)these controls to ensure that material informa-tion is made known to them;
• have evaluated the effectiveness of these controlseach quarter;
• have presented their conclusions regarding theeffectiveness of these controls;
• have disclosed to their audit committee and theindependent auditors any significant controldeficiencies, material weaknesses, and acts offraud that involve management or other employ-ees who have a significant role in the company’sinternal control;
• have indicated in the filing any significantchanges to controls.
Meeting some of the mandates of Section 302 mayprove relatively painless. For example, reaffirmingeach quarter that the CEO and CFO are responsiblefor disclosure controls and procedures may quicklybecome a regular task. Yet the simple wording ofother provisions belie the level of effort that may berequired to comply. Consider, for example, therequirement that disclosure controls and proceduresbe reevaluated every quarter. For a dynamic organiza-tion that is creating new products and services, com-pleting mergers and acquisitions, forming alliances,and reorganizing divisions and departments, thesheer logistics of developing, monitoring, and evalu-ating such controls can rapidly become daunting.
Section 404: Your Annual Assessment of Internal Controlsand Procedures for Financial ReportingSection 404 mandates an annual evaluation of inter-nal controls and procedures for financial reporting.Like Section 302, Section 404 requires CEOs andCFOs to periodically assess and vouch for the effec-tiveness of these controls.
Section 404 obliges companies to include in theirannual report an internal control report from man-agement that:
Defining Deficiencies and WeaknessesControl Deficiency: A “control deficiency” indicates a flaw in the design, the implementation, and/or the operating effectiveness of acontrol activity. Such defects could adversely affect the company’s ability to initiate, record, process, summarize, and report accuratefinancial and non-financial data.
Significant Deficiency/Reportable Condition: The SEC’s description of a significant deficiency makes it analogous to a “reportablecondition” as described in the auditing standards. Reportable conditions are control deficiencies coming to the independent auditor’sattention that, in his or her judgment, should be communicated to the audit committee because they represent significant deficienciesin the design or operation of internal control, which could adversely affect the organization’s ability to initiate, record, process, summa-rize, and report accurate financial data and non-financial data.
Material Weakness: According to auditing standards, a material weakness is a reportable condition in which the design or operationof one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by erroror fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected with-in a timely period by employees in the normal course of performing their assigned functions. Evaluating whether a reportable condi-tion is also a material weakness is a subjective process that depends on factors such as the nature of the accounting system and of anyfinancial statement amounts or transactions exposed to the reportable condition, the overall control environment, other controls andthe judgment of those making the decision. The presence of one or more material weaknesses may indicate that the internal controlstructure is not effective.
11
• affirms their responsibility for establishing andmaintaining internal controls and proceduresfor financial reporting;
• evaluates and reaches conclusions about theeffectiveness of internal controls and proceduresfor financial reporting;
• states that the company’s independent auditorhas attested to, and reported on, management’sevaluation of the company’s internal controlsand procedures for financial reporting.
Under the proposed SEC rules, management willalso be required to certify the effectiveness of theirinternal controls and procedures for financial report-ing on a quarterly basis.
In addition, Sarbanes-Oxley requires a company’sindependent auditor to complete a separate reportthat attests to management’s assessment of the effec-tiveness of internal controls and procedures forfinancial reporting.
Because your company’s CEO and CFO must makepublic statements regarding the effectiveness ofinternal control, substantial support and documenta-tion regarding both your internal control structureand your evaluation should be maintained. Also,because your independent auditor will be attesting toyour evaluation of your controls, you should be pre-pared to provide this documentation to them.
Be aware that a “clean” opinion in your last financialstatement audit isn’t a testament to the effectivenessof your internal control. When your independentauditors rendered an opinion on your financialstatements, they were not attesting to your internalcontrol structure; therefore, the testing proceduresthey performed were not designed to meet the attes-tation requirements.
In order for your independent auditor to carry outthis attestation — and for you to prepare your ownassessment — you should adopt an internal controlframework that contains objective criteria that canbe measured and evaluated. We believe that the rec-ommendations of the Committee of SponsoringOrganizations of the Treadway Commission(COSO) will emerge as the most frequently usedframework by registrants.
The evaluation that you provide to your independentauditors should be substantive, well documented,and comprehensive. An abbreviated checklist mayinclude:
• information about your company’s overall con-trol environment;
• description of the process undertaken by man-agement to identify, classify, and assess risksthat would prevent the company from achievingits financial reporting objectives;
• complete description of the control objectivescreated by management to address the risksidentified and the related control activities;
• description of the information systems and communication procedures in place to supportthe above;
• results and underlying documentation of man-agement’s latest evaluation of the design andoperating effectiveness of individual controlactivities (note: reliance solely on representa-tions of subordinates may not suffice);
• listing of all deficiencies found in the designand implementation of control activities, as wellas proposed remediation procedures;
• description of the process to communicate sig-nificant deficiencies and material weaknesses tothe independent auditors and audit committee;
• description of the monitoring procedures toensure that the internal control structure is func-tioning as intended and the results of the moni-toring procedures are reviewed and acted upon;
• description of the disclosure creation processand related control activities.
302 Plus 404 Equals 1Now, armed with a more comprehensive understand-ing of Sections 302 and 404, an effective strategybecomes clear: The mandates of both sections can beaddressed through a single methodology. An internalcontrol program that simultaneously focuses on dis-closure and financial reporting can meet the quarter-ly requirements of Section 302, the annual require-ments of Section 404, as well as the needs of inde-pendent auditors to perform their attestation proce-dures. (A call to more closely align the requirementsof the two sections of Sarbanes-Oxley has echoed
12
throughout the business community, and mostobservers expect the SEC to continue to move in thatdirection.)
Effective, yes, but easy? Not at all. The tasks are many:This new emphasis on internal control and compli-ance must be infused throughout the organization.Smaller companies, which most likely don’t have arobust infrastructure and an extensive staff, may findconformity especially taxing. Companies of all sizeswill be forced to devote significant resources to theeffort — time, money, and personnel.
The dollar costs of compliance will be considerable(but not, it should be noted, as high as the costs ofnon-compliance!). Direct costs may include employeeand consultant time for assessment, implementation,and monitoring; educating employees about internalcontrol; outlays for new technology to support theinternal control program; fees for your independentauditor to perform control testing in order to attest toyour assertion regarding the effectiveness of yourinternal control. Indirect costs may include the reas-signment of people and realignment of otherresources in the organization to create and maintain abetter internal control structure.
However, as stated above, most public companiesalready have some form of an internal control struc-ture in place. Organizations may not have to buytotally new systems or develop entirely new processes,but instead may be able to tailor their existingresources and integrate them into the new internalcontrol structure.
13
Step 2Commit and Organize
Take StockBefore kicking off your Sarbanes-Oxley internal control project, an infor-mal assessment can help you get your bearings: Understanding how theact applies to your company — based on its business characteristics —can bolster the development of the action plan.
Although virtually all public companies will need to make adjustmentsbefore they can confidently evaluate and certify the effectiveness of theirinternal control, clearly some companies will need to make more sweep-ing changes than others. To a large extent, the nature of your operationswill dictate the scope of changes required. For example, a highly decen-tralized company may need a more elaborate response to the internalcontrol provisions of Sarbanes-Oxley than a registrant with simpler char-acteristics.
Company size and complexity presents an interesting paradox. As a rule,implementing internal control in a smaller company is easier sincethere are fewer people, divisions, processes, etc. to accommodate. Yetsmaller companies often have such an informal infrastructure that sig-nificant remedial action may be required.
On the other side of the ledger, global companies that must institutecontrol activities at multiple locations may face a significant challenge asthey try to reconcile a variety of systems and procedures across theenterprise. In addition, global companies face the challenges of country-specific regulations and unique cultures. These large companies stand tobenefit from the uniformity of approach and consistency of applicationthat their internal control program can spur.
Industry — and, more specifically, industry regulations — presentsanother variable. For example, depository institutions that are subject tothe provisions of the Federal Deposit Insurance CorporationImprovement Act of 1991 (FDICIA) have had to abide by internal controlreporting rules similar to those in Sarbanes-Oxley for the last 10 years. Yetmany depository institutions will need to reinvigorate their programs forassessing the effectiveness of internal control, which, under Sarbanes-Oxley, must now take into account disclosure controls and procedures.
Commit to the Task With an understanding of how much of an effort your company willlikely need to exert, you are ready to begin. We believe this process canonly start from one place — the top.
The CEO and CFO should set the tone and initiate the course of action.The board of directors also plays an important role. Although not direct-ly responsible for implementation of Sarbanes-Oxley, the board should
14
oversee the company’s commitment to the task and should be keptapprised of the development of the internal control program.
To serve effectively, the CEO and CFO and the board must, naturally,have a working knowledge of the act. If briefing sessions are requiredto bring them up to speed, they should be scheduled. Once membershave a full appreciation of the demands of Sarbanes-Oxley, the CEOand CFO should formally commit the company to the task andacknowledge responsibility for ensuring compliance.
Next, a formal communication should be made to key managementand employees. The communication should include a directive forcompliance with the provisions of Sarbanes-Oxley, a definition of thetask at hand, general instructions, and the broad assignment ofresources.
Form a Steering CommitteeWe recommend that a steering committee be formed to oversee andcoordinate all of your Sarbanes-Oxley activities — including thosebeyond the scope of Sections 302 and 404 — across the organization.This is a high-level group: Its key members should be knowledgeableabout the company’s “big picture,” be integral to the implementationof company strategy, and have the authority to make critical deci-sions and allocate resources where and when needed.
In smaller companies, the steering committee may consist only ofthe two individuals who will be certifying the effectiveness of inter-nal control — the CEO and CFO. In larger organizations, membersmay include other executives, such as the chief accounting officer,director of internal audit, and general counsel, as well as an advisorfrom the audit committee. In companies of all sizes, a board ofdirector’s designee should be assigned to monitor the steering com-mittee’s processes and progress.
Functions of the steering committee will include:
• establishing the parameters under which the disclosure committee will operate;
• identifying the people needed to achieve objectives;
• keeping the board of directors and management informed of progress.
The deliberations and actions of the steering committee — as wellas those of any other group working on compliance — should bedocumented. A written record may lay the roadmap for puttingobjectives into action. We suggest that you consult with your legalcounsel regarding the nature and extent of documentation.
15
Step 3Select a Suitable Internal Control Framework
Whether you are starting from scratch or strength-ening your existing internal control framework, youshould strive for a system that meets four criteria: (1) objectivity, (2) measurability, (3) completeness,and (4) relevance.
Accordingly, many companies build their internalcontrol structure around the recommendations of theCommittee of Sponsoring Organizations of theTreadway Commission (COSO). However, COSO rep-resents just one — albeit the most widely recognized— of several internal control frameworks.(See sidebar.)
Internal Control According to COSO Internal control, as defined by COSO, is a processeffected by a company’s board of directors, manage-ment, and other personnel that drives business suc-cess in three categories:
• effectiveness and efficiency of operations;
• reliability of financial reporting;
• compliance with applicable laws and regulations.
Given its ubiquity, COSO will provide the basis of ourdiscussion on selecting a suitable internal controlframework. Note that the COSO guidelines, pub-lished in 1991, don’t explicitly refer to disclosure con-trols and procedures. Rather, the framework thatCOSO describes is broader, encompassing both dis-closure controls and procedures and internal controlsand procedures for financial reporting.
The COSO framework breaks effective internal con-trol into five interrelated components in order to sim-plify management’s task of administering andsupervising all of the activities that go into a suc-cessful internal control structure.
The Control Environment encompasses every facet ofthe internal control framework — it is the universe inwhich all the other elements exist. The control envi-ronment includes such concepts as tone, attitude,awareness, competence, and style. It derives much ofits strength from the tone established by the company’sboard and executives.
Frameworks for Internal Control
A number of evaluative frameworks for internal control areavailable. Among the most prominent are:
A. COSO - Internal Control-Integrated Framework:Developed by the Committee of Sponsoring Organizationsof the Treadway Commission and sponsored by the AICPA,FEI, the IIA, and others, COSO is the dominant frameworkin the U.S. The guidelines were first published in 1991,with anticipated revisions and updates forthcoming. Webelieve this will be the framework chosen by the vastmajority of U.S.-based public companies.
B. CoCo - The Control Model: Developed by the Criteria ofControl Committee of the Canadian Institute of CharteredAccountants, CoCo focuses on behavioral values ratherthan control structure and procedures as the fundamen-tal basis for internal control in a company.
C. Turnbull Report - Internal Control: Guidance forDirectors on the Combined Code: Developed by theCommittee on Corporate Governance of the Institute ofChartered Accountants in England & Wales, in conjunctionwith the London Stock Exchange, the guide was pub-lished in 1999. Turnbull requires companies to identify,evaluate, and manage their significant risks and to assessthe effectiveness of the related internal control system.
D. ACC - Australian Criteria of Control: Issued in 1998 bythe Institute of Internal Auditors – Australia, the ACCemphasizes the competency of management andemployees to develop and operate the internal controlframework. Self-committed control, which includes suchattributes as attitudes, behaviors, and competency, is pro-moted as the most cost-effective approach to internalcontrol.
E. The King Report: The King Report, released by theKing Committee on Corporate Governance in 1994, pro-motes high standards of corporate governance in SouthAfrica. The King Report goes beyond the usual financialand regulatory aspects of corporate governance byaddressing social, ethical, and environmental concerns.
16
Risk Assessment involves the identificationand analysis by management of relevantrisks to achieving business objectives. In thecourse of a risk assessment, each businessobjective, from highest level (such as “run aprofitable company”) to the lowest level(such as “safeguard cash”) is documentedand then every risk that might undermineor block the objective is identified and prior-itized.
Control Activities are developed to specifical-ly address each control objective to mitigatethe risks identified above. Control activitiesare the policies, procedures, and practicesthat are put into place to ensure that busi-ness objectives are achieved and risk mitiga-tion strategies are carried out.
Information and Communication supportsinternal control by conveying directivesfrom the management level to the employ-ees in a form and a timeframe that allowsthem to effectively perform their controlactivities. The process should also work inreverse, communicating information onresults, deficiencies and emerging issuesfrom the lowest levels of a company to man-agement and the board of directors.
Monitoring is a process to evaluate andassess the quality of internal control overtime through ongoing and special evalua-tions. Monitoring can include both internaland external oversight of internal control bymanagement, employees, and outside parties.
Three Objectives Categories
Monitoring
Information & Communication
Control Activities
Risk Assessment
Control Environment
Operatio
ns
Financial
Reporting
Compliance
Five
Com
pone
nts
©19
92 b
y th
e A
mer
ican
Inst
itut
e of
Cer
tifie
d Pu
blic
Acc
oun
tan
ts,I
nc.
Repr
inte
d w
ith
per
mis
sion
.
Un
it A
Un
it B
Act
ivit
y 1
Act
ivit
y 2
Relationship of Objectives and Components
Internal control is relevant to an entire enterprise, or to any of its unitsor activities.
All five components are applicable and important to achievement ofoperations objectives.
There is a direct relationship between objectives, which represent whatan entity strives to achieve, and components, which represent what isneeded to achieve the objectives.
Information is needed for all three objectives categories—to effectively manage business operations, prepare financial statementsreliably, and determine compliance.
Framework: MandatoryHow important is the internal control framework to your Sarbanes-Oxley internal control program? Consider this:
Without a suitable internal control framework (COSO or similar), full compliance with Section 404 of Sarbanes-Oxley will likely notbe possible. Remember that under Section 404, your independent auditor must complete a report that attests to your assertion onthe effectiveness of your internal controls and procedures for financial reporting. If your company hasn’t adopted an internal con-trol framework, there will be no criteria against which your company or its independent auditor can measure effectiveness.
Or, to put it another way: You’ve got to pick the set of rules that you want to play by. And if you don’t have any rules, your independ-ent auditor can’t referee the game!
17
The formation and activities of a disclosure commit-tee represent one of the most important controls thata company can implement to ensure that its filingsare fair, accurate, timely, and complete.
Indeed, disclosure issues provide much of the impe-tus behind Sarbanes-Oxley. As noted previously,Section 302 of the act calls for CEOs and CFOs tocertify that disclosure controls and procedures are inplace and are effective. Additionally, it is possible thatthe SEC will require a company’s independent audi-tor to attest to the effectiveness of the company’s dis-closure controls and procedures in addition to inter-nal controls and procedures for financial reporting.In fact, so critical does the SEC deem the issue of dis-closure, that the SEC advises all public companies tocreate a dedicated committee to oversee disclosureactivities.
Based on our preliminary observations, effective disclosure committees consist of individuals who:
• are familiar with SEC rules;
• are knowledgeable about the primary aspects ofthe company’s business;
• are familiar with the disclosure practices of peercompanies;
• have sufficient stature within the company toinitiate action when appropriate.
The size of your company will, in part, determine the makeup of your disclosure committee. Largercompanies may have a full complement of personnelwith the job titles listed below. Smaller companiesmay have individuals whose job descriptions spanseveral titles.
Some possible members of the disclosure committeeinclude:
• principal accounting officer or controller;
• general counsel or another senior legal officerresponsible for SEC filings who reports to thegeneral counsel;
• principal risk management officer;
• chief investor relations officer;
• chief operations officer;
• general (internal) auditor;
• other officers or employees (including businessunit representatives), as the company deemsappropriate. Some of these individuals might beheads of key business units, heads of geographicregions, a business development representative,or a human resources representative.
Other parties, such as independent auditors andexternal legal counsel, can serve as valuable advisorsto the disclosure committee, but should not make
Step 4Empower the Disclosure Committee
Crucial CommitteesInitiating or strengthening your internal control program may require a deployment (or redeployment) of personnel. We recommend thatseveral new committees be formed to aid in the process:
Steering Committee: A high level,“big picture” group that oversees and coordinates all internal control activities. In small companies, thesteering committee may consist of no more than the CEO and CFO. Larger organizations may have proportionally more members.
Disclosure Committee: The SEC advises all public companies to create a disclosure committee to ensure that company filings are fair,accurate, timely, and complete. The committee sets parameters for disclosure and determines the appropriateness of disclosures in all pub-licly disseminated information.
Internal Control Program Management Team: Responsible for a large proportion of internal control work. The team's activities mayinclude assessment, development, implementation, and remediation of internal control.
18
decisions or function as voting members of thegroup.
The disclosure committee serves numerous func-tions, including:
• determining appropriateness of disclosures indrafts of all publicly disseminated information;
• overseeing the process by which disclosures arecreated and reviewed;
• identifying what constitutes a “significant” trans-action or event;
• identifying what constitutes a “significant defi-ciency” and “material weakness” in the design oroperation of internal control;
• ensuring that the CEO and CFO are aware ofmaterial information that could affect disclosures;
• reviewing control deficiencies with the CEO andCFO to determine whether, individually or in theaggregate, they constitute a material weakness; and making recommenda-tions whether they therefore should be disclosed in the SEC filings.
One of the preliminary acts of the disclo-sure committee will be to define its mis-sion. To operate effectively, the committeeshould develop a clear description of itsscope of responsibilities. The disclosurecommittee should seek formal confirmationof its understanding with the CEO and CFO.
The most prominent task facing the disclo-sure committee will be making sureprocesses are in place to gather and analyzethe information to determine whether prop-er disclosure has occurred. Among otheritems, the committee should review:
• all SEC filings, including all 1934Exchange Act filings (e.g., forms 10-Q,10-K, and 20-F), and 1933 SecuritiesAct registration statements (e.g., formsS-1 and S-3);
• management’s quarterly and annualevaluations of disclosure controls andprocedures and internal controls andprocedures for financial reporting;
• all press releases providing financial informa-tion or guidance, information about materialacquisitions or dispositions or other events thatare material to the company;
• correspondence broadly disseminated to share-holders;
• all presentations to investor conferences or ana-lysts, in conformity with Regulation FD (FullDisclosure);
• all presentations to rating agencies and lenders;
• internal audit reports;
• briefing books for management;
• briefing books for the board of directors andaudit committee;
• the company’s disclosure policies for informa-tion included on its corporate/investor relationsWeb sites.
Degrees of DeficiencyWhen trying to determine whether a control deficiency is “signifi-cant,” factors such as organization size, the quantitative and qualita-tive aspects of the risk factors that the activity was intended to mit-igate, and complexity of operations need to be taken into account.
Examples of potentially significant deficiencies in the design andimplementation of a control activity may include:
• The company has no procedures in place to evaluate the cred-it-worthiness of new customers.
• The company has no procedures in place to track the value ofits equity investments.
(These examples assume that the related business processes andaccount balances are material to the company at hand.)
Potentially significant deficiencies in the operating effectiveness ofcontrol activities may include:
• While the company has procedures in place to evaluate thecredit-worthiness of new customers, orders are oftenprocessed for accounts that have been blocked.
• Although the company tracks its equity investments, differ-ences between the company’s records and third-party state-ments are not investigated in a timely manner.
19
Although the disclosure committee is accountableto the CEO and CFO, a member of the disclosurecommittee may meet periodically with the auditcommittee to discuss:
• the activities of the disclosure committee;
• the quality of disclosures included in thecompany’s filings;
• disagreements with the CEO and CFO;
• disagreements with external experts such aslegal counsel or the independent auditors.
The audit committee can also take a role in resolv-ing significant disagreements. For example, if thedisclosure committee recommended disclosure ofparticular information, but the CEO and/or CFOdisagreed, the audit committee could be calledupon to influence the final decision.
20
Step 5Establish an Internal Control Program
For many companies, complying with the internalcontrol provisions of Sarbanes-Oxley will requiresignificant effort. In fact, the initial work — devel-oping an internal control program and related sup-port infrastructure — may be intensive. However,once the program is well-established, the burdenwill be eased, and the structure and processes willbecome part of your company’s standard operatingprocedures.
The following steps, which are explained in detailbelow, can be followed when establishing an internalcontrol program:
• Plan the Project;
• Assess the Control Environment;
• Define the Scope;
• Build a Controls Repository;
• Perform Initial and Ongoing Tests;
• Monitor.
Plan the ProjectWe recommend forming an internal control pro-gram management team to establish the internalcontrol program. The size and complexity of yourcompany will determine how you allocate per
sonnel resources to the team. In a small company,little organizational structure may be needed; theteam may consist solely of part-time members —perhaps a project manager and a few support staff.However, for larger companies, you may need todeploy a significant number of people in dedicated,full-time roles.
For many companies that already have an internalcontrol group, it may not be necessary to form aseparate internal control program managementteam. However, the steering committee shouldassess whether the existing internal control grouphas the appropriate personnel to carry out the stepsselected by the company.
Once the team is established, a project plan shouldbe created. At a high level, the overall planningprocess should result in the following:
• understanding and relative agreement on projectobjectives, deliverables, scope, cost, andapproach;
• commitment that the resources needed are avail-able when required;
• agreement on whether outside resources will beused and a description of their role;
• project baseline to which progress can be compared;
• agreement on processes and methodologiesused to manage the project.
>Internal Control Reliability Model – The reliabilityof internal control is often a function of the followingcharacteristics:
• the design and operating effectiveness of controls;
• the extent of documentation of controls and procedures;
• employee awareness of the control activities thatthey are responsible for;
• independent monitoring.
In developing a project plan, the internal controlproject management team may find it helpful to usea tool such as the Internal Control Reliability Model.
The Role of Internal Audit
Many companies already have an internal audit func-
tion, and in light of recent proposals by certain stock
exchanges, we expect that many more companies will
be establishing the function in the future. Internal
audit members can play an important role in a compa-
ny’s Sarbanes-Oxley activities by contributing their
knowledge of processes and internal control, monitor-
ing management’s assessment activities, providing
input to a risk assessment process, and serving as an
important link to the audit committee.
21
Impl
icat
ions
Ch
arac
teris
tics
Stage 1 – Unreliable
Controls and related policiesand procedures are not in place anddocumented.
A disclosure creationprocess does not exist.
Employees are not aware of their responsibility forcontrol activities.
The operating effectivenessof control activities is notevaluated on a regular basis.
Control deficiencies are notidentified.
Insufficient documentationto support management’scertification and assertion.
Level of effort to document,test, and remediate controlsis significant.
Stage 2 – Insufficient
Controls and related policiesand procedures are in placebut not fully documented.
A disclosure creationprocess is in place but notfully documented.
Employees may not beaware of their responsibilityfor control activities.
The operating effectivenessof control activities is notadequately evaluated on aregular basis and theprocess is not fullydocumented.
Control deficiencies may be identified but are notremediated in a timelymanner.
Insufficient documentationto support management’scertification and assertion.
Level of effort to document,test, and remediate controlsis significant.
Stage 3 – Reliable
Controls and related policiesand procedures are in placeand adequately documented.
A disclosure creation processis in place and adequatelydocumented.
Employees are aware of theirresponsibility for controlactivities.
The operating effectivenessof control activities isevaluated on a periodic basis(e.g., quarterly) and theprocess is adequetelydocumented.
Control deficiencies areidentified and remediated ina timely manner.
Sufficient documentationto support management’scertification and assertion.
Level of effort to document,test, and remediate controlsmay be significant dependingon the company’scircumstances.
Stage 4 – Optimal
Meets all of thecharacteristics of Stage 3.
An enterprise-wide controland risk managementprogram exists such thatcontrols and procedures are documented andcontinuously reevaluated to reflect major process ororganizational changes.
A self-assessment process is used to evaluate thedesign and effectiveness ofcontrols.
Technology is leveraged to document processes,control objectives andactivities, identify gaps, andevaluate the effectiveness ofcontrols.
Implications of Stage 3.
Improved decision-makingbecause of high-quality,timely information.
Efficient use of internalresources.
Real-time monitoring.
Internal ControlReliability Model
Extent of Documentation, Awareness,and Monitoring
Des
ign
an
d O
per
atin
g E
ffec
tive
nes
s
Stage 1 – Unreliable
Stage 2 – Insufficient
Stage 3 – Reliable
Stage 4 – Optimal
22
This model, which visually depicts the degree of reli-ability of internal control, can be applied to any unitfor which a plan is being created (e.g., the companyas a whole, a single business unit, or a subsidiary). A version of the Internal Control Reliability Model,which is shown on page 21, is designed to categorizethe reliability of internal control into four stages: (1) unreliable, (2) insufficient, (3) reliable, and (4) opti-mal, based on the characteristics listed in the table.
When using the Internal Control Reliability Model,the project team should care-fully assess the characteristicsof the unit being evaluatedand designate the stage thatmost closely resembles thestatus of internal control ofthe unit being evaluated.
If internal control is classifiedas Unreliable (Stage 1) orInsufficient (Stage 2), it islikely that the internal controlstructure is not sufficient to support the annual attestation requirements. Undersuch circumstances, we recommend that the projectteam begin implementing the project plan immedi-ately. If implementation of the project plan is delayed,the company may not be prepared for its annual reporton internal control or the related independent audi-tor’s attestation requirements.
Note that the attainment of Stage 3, which signifiesthat the company’s internal control is adequate, is notthe end game. Rather, it is Stage 4 that representsthe intent of Sarbanes-Oxley whereby corporate gov-ernance is linked to effective control activities.
In addition to providing the project team with usefulinformation that can be used to develop the projectplan, the Internal Control Reliability Model can serveseveral additional purposes, including:
• serving as a common model for discussionbetween management and the independentauditor regarding the reliability of the compa-ny’s internal control for purposes of manage-ment’s evaluation of controls and the independ-ent auditor’s attestation;
• providing the board of directors and executivemanagement with a highly visual depiction ofthe reliability of the company’s internal control.
Assess the Control EnvironmentWritten policies and procedures are, of course, impor-tant and will play a major role in the effectiveness ofyour internal control structure. Indeed, much of thesuccess or failure of your internal control programmay ride on your written documentation. But alsocritical are the less-tangible attributes of culture, tone,
and attitude, collec-tively referred to asthe “control environ-ment.” Contributingto the control environ-ment are such ele-ments as the integrity,ethical values, andcompetence of yourcompany’s people;management’s philos-ophy and operating
style; delegation of authority and responsibility; andthe attention and direction provided by the board ofdirectors. The control environment forms the founda-tion for all other components of internal control.
To aid in the understanding of the control environ-ment, we recommend that a cultural assessment beperformed. By surveying key management andemployees throughout the organization, you canquickly gain an understanding of their attitudestoward the company’s commitment to creating aneffective control environment. If the results of thecultural assessment suggest that the company doesnot have a strong control environment, you shouldtake remedial steps, such as the following:
• communicating the importance of internal control;
• reinforcing your code of conduct and ethics andcompliance program;
• reestablishing the proper “tone at the top”;
• conducting training and awareness programs;
• establishing channels for open communication(including anonymous reporting mechanisms).
Conversely, if the results of the cultural assessment
Written policies and proceduresare important. But also critical are the less-tangible attributes of culture, tone, and attitude,collectively referred to as the
“control environment.”
23
indicate that the company has a strong control envi-ronment, you will have a strong foundation on whichto build your internal control program.
Define the ScopeThe goal of the scope definition process is to identifyand inventory risks related to financial reportingand disclosure. This will allow the internal controlprogram management team to devote their efforts toidentifying or designing controls to address suchrisks. (Note that the focus of this phase of the proj-ect — financial reporting and disclosure risks — ismore narrow than a full-scale enterprise-wide riskassessment.)
While some companies may already have a formal orinformal risk assessment program in place, it shouldbe revisited by the project team to ensure that itencompasses the comprehensive process of identify-ing all financial and disclosure risks.
The project team should begin the scope definitionprocess by identifying all of the company’s key busi-ness units, locations, and subsidiaries. Next, the teamshould interview management personnel withinthese business units to identify financial reportingand disclosure risks that could adversely affect theentity’s ability to accurately report financial and non-financial data consistent with following objectives: allamounts and disclosures are accurate, complete, fairand timely.
Management should be prepared to address, amongother things, the following during the interviewprocess:
• risks that may prevent the company from achiev-ing its business objectives;
• financial reporting and disclosure risks, considering the following:
> key business processes and systems, includ-ing outsourced applications and processes;
> non-systematic risks and processes (e.g., journal entries and accounting for contracts);
> significant accounting standards;
> SEC and industry regulations;
> instances of non-compliance with company policies and procedures;
> matters regarding highly judgmental estimates;
> significant information systems and technology;
> situations in which management could override controls.
The project team should then document and priori-tize each identified financial reporting and disclosurerisk, weighing the relative significance and likelihoodof a potential adverse effect without regard to theeffectiveness of the company’s internal control.
Factors to consider when prioritizing financial report-ing and disclosure risks include:
• relative risk to the company;
• materiality to the financial statements;
• likelihood of occurrence.
Over time your company may consider integratingthe process of prioritizing financial reporting and dis-closure risks into an enterprise-wide risk assessmentprogram that addresses all the elements of the COSOframework.
Build a Controls RepositoryThe controls repository will serve as a clearinghousefor information and activities related to internalcontrol. It will contain documentation on controlobjectives, the design and implementation of con-trol activities, as well as methods for testing theoperating effectiveness of such activities. It will bethe database on which quarterly, and annual man-agement evaluations, as prescribed by Sections 302and 404, will be based.
To develop this Control Repository, we recommendthe following steps:
The project team should document and prioritize each
financial reporting and disclosure risk.
24
• define key control objectives;
• map existing control activities against controlobjectives;
• identify areas where needed controls are absentand remediate.
>Define Key Control Objectives – As a result of thescope definition process, you should have producedan inventory of key financial reporting and disclosurerisks. The internal control program managementteam should systematically work through the risks todefine the key control objectives. We recommend thatthe team focus on risks that have been deemed “highpriority” first and work down through the other cate-gories in successive steps, as appropriate for yourenvironment.
A control objective describes what management isseeking to achieve. In the financial reporting area,examples of high-level control objectives include thefollowing:
• Authorization: Transactions are executed inaccordance with management’s general or spe-cific authorization.
• Recording: All authorized transactions arerecorded in the correct amounts, in the correcttime period, and in the appropriate account topermit the preparation of financial statements inconformity with generally accepted accountingprinciples.
• Safeguarding: Responsibility for physical cus-tody of assets is assigned to specific personnelwho are independent of related record-keepingfunctions.
• Reconciliation: Recorded assets are comparedwith existing assets at reasonable intervals, andappropriate action is taken with respect to anydifferences.
Examples of “actionable” control objectives includethe following:
• Order Management Process: Sales orders areonly processed within approved customer creditlimits.
• Purchasing Process: Amounts posted toaccounts payable represent goods purchased.
>Map Existing Control Activities Against ControlObjectives – Control activities are policies and proce-dures that help the entity to achieve its stated controlobjectives. Control activities should be embeddedwithin the operations of the business and used toreduce financial reporting and disclosure risks to rea-sonable levels.
Examples of control activities include the following:
• approvals, authorizations, and verifications;
• direct functional or activity management;
• review of performance indicators;
• security of assets;
• segregation of duties;
• information systems controls.
The objective of this step is to inventory existing con-trol activities practiced within the organization andmap those against the comprehensive list of controlobjectives developed in the previous step.
>Identify Areas Where Needed Controls Are Absentand Remediate – Once all the existing control activi-ties have been mapped to control objectives, it isprobable that there will be control objectives forwhich corresponding control activities do not exist.These gaps should be identified and documented forremediation.
Or, inversely, there may be control activities identifiedthat could not be mapped to an objective. In this con-text, these could be either unnecessary control activi-ties that could be eliminated or an indication that aneeded control objective has not been identified.
All of the gaps noted above should be remediatedthrough a systematic process, starting with high-pri-ority control objectives, until all significant controlobjectives have control activities to address them.
25
Perform Initial and Ongoing Tests Once the controls repository has been developed, the operating effectiveness ofthe control activities should be evaluated. This evaluation can be performed bythe individuals responsible for enacting the controls, or by company manage-ment, or by the internal control program management team. The objectives ofthese initial testing activities are as follows:
• to ensure that control activities are functioning properly;
• to provide information to support further remediation efforts whentesting activities reveal internal control deficiencies;
• to develop a sustainable testing program that will support manage-ment’s quarterly and annual evaluations.
To support the required quarterly and annual evaluation of internal control, ananalysis of the internal control structure should be conducted to ensure that nosignificant changes have occurred since the last evaluation period. If there havebeen major business process or organizational changes (e.g., an acquisition), itmay be necessary to repeat the steps above to modify the internal control struc-ture to address such changes.
The individuals responsible for the control activities should then evaluate theireffectiveness as part of a formal internal control self-assessment process. Aspart of this assessment process, we recommend that the operating effectivenessof the individual control activities be tested and that appropriate documentationbe retained so that it can be reviewed by the independent auditors as part oftheir attestation engagement procedures.
MonitorFor many companies, the internal audit function will play an important role inmonitoring and reporting on the effectiveness of the internal control structure.Companies without an internal audit function may consider using the internalcontrol program management team to perform these duties.
Monitoring activities that should take place include the following:
• independent assessment of the adequacy of the data contained in the controls repository;
• verification that testing activities are complete, accurate,and timely;
• confirmation that those who have evaluated control activi-ties have done so in a timely fashion, and with the full and complete understanding of the implication of such a confirmation;
• substantiation that complete and accurate documentationis maintained.
26
Enabling Technology to Achieve ResultsThe sheer logistics of compliance with the internalcontrol provisions in Sarbanes-Oxley can seem daunt-ing. Yet the burden can be greatly eased through thestrategic use of compliance tools.
Tools can aid in a variety of tasks: designing controls,documenting controls, analyzing and remediatingcontrol gaps, improving disclosure, managing risks,documenting review and sign-off, and providingimproved management reporting.
Your use of tools is limited only by your needs andyour pocketbook. In general, the needs of — and thefinancial outlay for — smaller companies will be lessthan that of larger, more complex organizations. Butregardless of companysize and complexity, thetools and technology thatyou select should be con-sistent with the needs ofyour organization.
Tools should not beregarded as an easy solu-tion to a difficult prob-lem. All tools will needsome customization towork effectively. Guard,too, against getting seduced by the technology — aproper tool should simplify rather than complicatethe process. Finally, keep in mind that tools shouldaugment your personnel, not replace them.
Before you make any capital expenditures on tools,be sure to tailor your existing resources that mightsupport your internal control program. For exam-ple, many companies maintain an intranet thatcould serve as a repository for internal control-relat-ed information and documents. Below is a summa-ry of some options.
DatabasesDatabase programs are available to support yourinternal control program. A controls database canhelp companies to document their processes, existingcontrol objectives, and activities, and to identify gapsand track actions to remediate those deficiencies. By
adding a visualization layer to the controls database,executive management can quickly understand theresults of the controls evaluation, which will aid incompleting their quarterly certification of controls.
Proprietary ToolsMany professional services firms offer proprietarytools to assist companies in connection with develop-ing an internal control program. Deloitte & Touche,for example, uses the Risk and ControlsKnowledgebase™ (RACK), a central repository ofindustry-specific and controls information, structuredaccording to business process. Using RACK, Deloitte& Touche professionals can quickly tailor process and
control information forcompanies.
Risk and control trackingsystems are Web-basedself-assessment and moni-toring systems designed tosupport larger and moresophisticated client needs.They are often flexible andscalable tools that helporganizations document,monitor, and periodically
assess the effectiveness of the internal control struc-ture. These systems are designed to address companyneeds ranging from initial assessment to risk track-ing to support certification, and hence are designedto support multiple phases of the complianceprocess. Deloitte & Touche has developed the Riskand Control Tracking System (RCTS) to assist compa-nies to structure, manage, and track the assessmentprocess and remediation plans, as well as to aggre-gate results in a single repository. This structuredapproach is intended to improve management con-trol and centralized reporting, which should facilitatethe disclosure process.
Whatever system you choose to deploy, it may be pru-dent to run a pilot program on a manageable scale —such as a division, department, or business unit —before rolling out the system across the enterprise.
The burden of compliance with the control provisions inSarbanes-Oxley can be easedthrough the strategic use of
compliance tools.
27
ConclusionCompliance with the letter, let alone the spirit, ofSarbanes-Oxley may be a daunting task. But in orderto reach a higher level of corporate integrity and per-formance, compliance with the law in and of itselfmay be inadequate.
In this regard, certain precedents can help point outpitfalls and highlight best practices. For example, theFederal Deposit Insurance Corporation ImprovementAct of 1991 (FDICIA) was to the banking industrywhat Sarbanes-Oxley is to public companies: Bothintroduced regulations to remedy perceived marketfailures, and each enacted significant new reportingrequirements. It has been more than 10 years sinceFDICIA took effect, and even ardent critics wouldconcede that the regulation’s main objectives — theprevention of large depository institution failures —have been largely achieved.
There are several lessons public companies canlearn from the FDICIA example that will helpensure success at both the individual company level(corporate integrity and responsibility) and overallfinancial markets level (transparency and symmetryof information).
1Accept that the environment has profoundly changed.Companies must recognize that they operate in a
new environment — one that demands more effortand accountability. If your company fails to developa comprehensive internal control framework, youwill not have adequate documentation to supportyour quarterly and annual evaluation of internalcontrol and your independent auditor may havetrouble delivering the quality work you need in atimely fashion.
2Promote understanding of internal control within the organization.Recent studies conducted by regulatory agencies
showed that in the case of two major banks, executivessigned assertions in good faith, yet were not able todemonstrate any control over the assessment process,because they did not understand the full implicationsof their assertions. In other cases, employees werefound to be filling out checklists and quarterly internalcontrol report packages without understanding thepurpose behind each document. The point here is thatwhile companies may be tempted to show superficialcompliance with Sarbanes-Oxley, such an approachmay backfire if controls fail because form was stressedover substance.
3Factor into your business model the cost ofdeveloping an internal control programA number of small banks have had sound busi-
ness plans, but have nonetheless failed because theydid not take into account the (substantial) costs asso-ciated with developing an internal control program tocomply with the FDICIA regulations. We anticipatethe same may be true for public companies subject toSarbanes-Oxley. Good internal control is not a one-time expense; rather, it fundamentally changes thecosts of doing business.
Recent events have placed us in a unique period inthe history of American business. The call for corpo-rate responsibility has never been greater. The needto link sound corporate governance to effective con-trol activities has never been clearer. And in terms ofrestoring public confidence in the financial market,there has never been more at stake. Forward-think-ing companies and executives will seize the opportu-nity. Those who fail to act may pay a heavy price.
Understanding the Limits of Internal Control While internal control can help to mitigate risks, it does not eliminate risk altogether. Internal control can only provide reasonable — but not absolute —assurance that
a company’s objectives are met. Internal control is, after all, built on processes involving people, and, as such, is subject to all the limitations of human involvement.
Internal control can be circumvented deliberately: through fraudulent acts by individuals or collusion between employees. Internal control can be undermined
inadvertently: through poor judgment, carelessness, distraction, or other breakdowns of processes and procedures. And internal control may be weakened or even
eliminated by resource constraints: the relative costs and benefits of internal control must be continually reevaluated.
28
Making the changes you need to comply withSarbanes-Oxley can help your business earn moreand be more successful. But why stop there? Goodcorporate governance involves many other processesthat, even if not mandated by law, can give your busi-ness a competitive advantage. So in the interest ofmaximizing your long-term success, here are someother issues that you may want to address as you re-evaluate your corporate governance procedures.
Establish a Code of EthicsGood corporate governance begins with the “tone at thetop” — the behavior and ethics of a company’s leadershipteam. The Sarbanes-Oxley Act, in fact, recognizes thisnecessity by proposing that every public company disclosewhether it has developed a code of ethics for its principalexecutives and senior financial officers.
Management is responsible for making sure that every-one in the company, from the CEO on down, bothknows the code of ethics and behaves in accordance withit. You can do this in the same way that you establisheffective internal control: evangelize, enforce, model,instruct, and infiltrate. Above all, make sure that every-one understands, in concrete terms, what they must doin order to comply with the code. It may be helpful todraw up several illustrations that define appropriatebehavior for individuals in different corporate roles sothat each employee knows what “ethical behavior”means within his or her own job.
The difficulty with implementing good corporateethics is not so much in the resolution of issues, as itis in the identification of issues in the first place. Intoday’s complex business environment, where thereare countless shades of gray but little undiluted blackand white, it is nearly impossible to foresee all situa-tions presenting an ethical dilemma. Efforts mustfocus on helping employees identify these potentially“thorny” situations and encouraging them to seekguidance through established reporting mechanisms.
Formalize Operational and Compliance ControlsAlthough this publication has discussed a number ofcontrols — financial reporting and disclosure con-
trols being the most prominent — other controls alsodeserve your attention. We recommend that you takethe opportunity, while adjusting your systems andprocedures for Sarbanes-Oxley control compliance, to consolidate the management of your operationaland compliance controls under the same infrastruc-ture as your disclosure and financial reporting con-trols. Formalizing similar procedures around youroperational and compliance controls will allow you tobe that much more confident in your business’ abilityto avoid unexpected pitfalls and obstacles in thesetwo spheres.
Get Your Audit Committee InvolvedSection 301 of Sarbanes-Oxley requires all exchange-listed or NASDAQ-traded public companies to havean audit committee, and many private companieshave chosen to establish audit committees as well.Serving on an audit committee is an increasinglychallenging job. The members of your audit commit-tee should be individuals who are willing and able todedicate the necessary time and energy to fulfillingtheir responsibilities as vigilant overseers on behalfof your company’s shareholders. Section 407 of theact also shines a brighter light on whether the auditcommittee has the requisite financial expertise toprotect investor interests. The final rules that imple-ment Section 407 require disclosure of whether atleast one member is a financial expert, as defined bythe SEC. The names of such members must be dis-closed in the annual filing and, if no financial expertis resident on the committee, the company must dis-close the reason why. Beyond selecting and supervis-ing the company’s independent auditor, the auditcommittee should review financial reports for com-pleteness and accuracy, and facilitate discussionsamong management, independent auditors, andinternal auditors about issues of quality and integrity.
So invite your audit committee to watch over yourinternal control implementation and compliance withSections 302 and 404 of the act. The committee canadd real value to the process through objective over-sight and seasoned perspective.
Epilogue: Sustaining Momentum
29
Appendix A: Compliance Checklist
✔ Step # Description See page #
1A Familiarize Yourself with Sarbanes-Oxley Section 302 9
1B Familiarize Yourself with Sarbanes-Oxley Section 404 10
2A Conduct Informal Assessment of Company Situation 13
2B CEO and CFO Commits to the Task of Compliance 13
2C Form a Steering Committee 14
3A Familiarize Yourself with Internal Control Frameworks 15
3B Select Internal Control Framework 15
4 Form a Disclosure Committee 17
5A Establish an Internal Control Program 20
5B Plan the Project 20
5C Form Internal Control Program Management Team 20
5D Assess the Control Environment 22
5E Define the Scope 23
5F Build a Controls Repository 23
5G Define Key Control Objectives 24
5H Map Existing Control Activities Against Control Objectives 24
5I Identify Control Deficiencies and Remediate 24
5J Perform Initial and Ongoing Tests 25
5K Monitor 25
6 Enable Technology to Achieve Results 26
30
“Moving Forward – A Guide to Sarbanes-Oxley ComplianceThrough Effective InternalControl” is a publication ofDeloitte & Touche’s CorporateGovernance Services designed tohelp you clearly understand thefast-evolving requirements of thenew regulatory and stock market rules, while keeping yourresponse aligned with yourbroader corporate goals andstrategies. These services focusaround four specific areas –board roles and responsibilities,ethics and corporate compliance,risk management and controls,and transparency and disclosure.
For more information, visit us atwww.deloitte.com/us/corpgov
31
©2003 Deloitte & Touche LLP.Deloitte & Touche refers toDeloitte & Touche LLP andrelated entities.
This publication contains general information only and should not be relied upon for accounting,business, financial, investment, legal, tax, or other professional advice or services. This publicationis not a substitute for such professional advice or services, nor should it be used as a basis for anydecision or action that may affect you or your business. Before making any decision or taking anyaction that may affect you or your business, you should consult a qualified professional advisor.The information contained in this publication likely will change in material respects; we are underno obligation to update such information.
Neither Deloitte & Touche LLP, Deloitte Touche Tohmatsu nor any of their affiliates or related entities shall have any liability to any person or entity who relies on this publication.
January 2003
About Deloitte & ToucheDeloitte & Touche, one of the nation’s leading professional services firms, pro-vides assurance and advisory, tax, and management consulting services throughnearly 30,000 people in more than 100 U.S. cities. The firm is dedicated to help-ing its clients and its people excel. Known as an employer of choice for innova-tive human resources programs, Deloitte & Touche has been recognized as oneof the “100 Best Companies to Work For in America” by Fortune magazine forsix consecutive years. Deloitte & Touche is the U.S. national practice of DeloitteTouche Tohmatsu. Deloitte Touche Tohmatsu is a Swiss Verein, and each of itsnational practices is a separate and independent legal entity. For more informa-tion, please visit Deloitte & Touche’s Web site at www.deloitte.com.