All Eyes on Internal Controls

More than a decade after capital markets began focusing on internal controls to produce more reliable financial statements, companies and their auditors are pressing through a new phase of scrutiny on internal control, even though the underlying rules themselves have changed very little.

Jeanette Franzel, a member of the Public Company Accounting Oversight Board, calls it a “perfect storm” in the internal control environment. Speaking at Compliance Week's annual conference last week, she said companies are implementing an updated framework for internal controls, while also facing new questions from external auditors under pressure from the PCAOB to get tougher on controls.

The Committee of Sponsoring Organizations, author of the Internal Control — Integrated Framework that virtually all U.S. listed companies rely on to comply with internal control reporting requirements, updated the 20-year-old framework in 2013. The updated COSO framework explicitly requires the 17 principles that underpin a sound internal control environment to be present and functioning. Meanwhile, the PCAOB gave external auditors new guidance in an audit practice alert outlining numerous internal controls auditing problems the board's inspectors have noted in routine audit firm inspections during the past few years.

“There's a lot of mythology and angst out there about internal controls,” Franzel said. “Audit firms find themselves in a position where suddenly they can't accept what's been accepted in prior years because it's not adequate. It's important for issuers to sort this out with their audit firms. Everyone needs to sit down with an open mind and say what may have passed last year is really not acceptable going forward.” The greater focus on controls is not just for auditors to address, she said: “The issues are all over the place in terms of inconsistency of practice among companies. If your company believes internal control is just something for auditors and you'll just do whatever the auditors require, you're way behind.”

No New Guidance

Eric Allegakoen, chief audit executive at Adobe Systems, said the irony of the new climate is that the rules themselves have not changed in any significant way as a result of recent initiatives. He said he's heard the grumbling that the PCAOB and COSO have raised the bar or set new standards with their respective efforts. “I don't think this is new guidance,” he said during a panel discussion at the conference. “It enhances existing guidance. The bottom line is there is nothing new out there. It's just stuff audit firms should have been doing before. I don't think any panic is necessary.”

Bavan Holloway, vice president of corporate audit for Boeing, said the new COSO framework is prompting companies to take a closer look at the extent to which the company's controls meet the framework's 17 principles of sound internal control. “How do we demonstrate that we meet those?” she asked at the conference. The new framework is driving an examination of the level of detail, she said. “We're making sure controls are identified with enough specificity so you can understand how controls will mitigate risks, whatever those risks are.”

That doesn't mean, however, companies should rely too heavily on a gap analysis—looking at compliance with the old framework versus the new—to transition to the new framework, Franzel said. “There are risks associated with a checklist approach or a gap analysis,” she said. “This should not be a paperwork exercise. This should be an opportunity to step back so you can take a fresh look at your controls.”

Holloway and Allegakoen agreed that a gap analysis should be the only approach to assessing what is needed to move to the updated COSO framework. “A gap analysis is an important part of the process, but you've also got to bring in the risk-based approach,” Allegakoen said.

As for guidance for auditors, Holloway, a former Big 4 auditor herself, says she's using the guidance for auditors internally. “We're trying to keep ourselves to very similar standards that external auditors have to follow, so we're not placing reliance on controls that don't really address the risks that are out there,” she said.

“We're making sure controls are identified with enough specificity so you can understand how controls will mitigate risks, whatever those risks are,” said Bavan Holloway, vice president of corporate audit for Boeing.

Holloway and Allegakoen acknowledged some of the demands auditors are making as a result of PCAOB inspection focus. Signatures, for example, are not necessarily adequate audit evidence, Holloway said. “By looking at a person's signature, you know they knew how to sign their name,” she said. “Just relying on the fact that it is signed is not a good control.”

According to Allegakoen, Adobe has put more focus on assuring controls over electronic evidence. “We have to make sure for any report that comes out of our SAP system that we have controls at the spreadsheet or database level,” he said.

Prioritizing Risks

Steve Koslow, chief ethics and compliance officer for CUNA Mutual, and Kevin McMahon, senior vice president of internal audit and chief compliance officer at Calpine, said at the conference that they put significant focus in their control environments on assessing controls and assuring they respond appropriately to identified risks and management's risk tolerance levels. CUNA Mutual, said Koslow, uses a basic risk scoring process to help prioritize risks and determine appropriate control levels. “We want the business areas to know where their controls are adequate and where they are not adequate,” he said. “And if there are gaps between what the residual risk score is and what it should be, we'll have a conversation about that.”

The options, Koslow said, are fairly simple. “You have two different levers you can pull,” he said. “You can increase the controls, or increase your risk tolerance.” In the first year the company adopted such a scoring and ranking process, a surprising number of business process owners believed in some places they needed tighter controls, he said, even where the compliance office didn't necessarily agree.

McMahon said it's management's job to determine the right risk tolerance and controls, but it's up to the compliance office to assure the guardrails on the control environment are in place and operating effectively. “It's not our job to keep them in compliance, but to keep the framework in place so they stay in compliance.”

Calpine is one of only a few companies I am aware of, said McMahon, that has given the compliance officer a direct role in assuring compliance using employee compensation. “The chief compliance officer can recommend to the compensation committee of the board that it withhold a defined portion of the bonus pool for compliance issues. This past year Calpine withheld a portion of the 5 percent target for some non-material compliance issues. McMahon said that strong support for compliance from senior management and the board is meaningful and the regulators also see this as a great indicator of a culture of compliance.