While corporate-finance professionals might generally agree with the saying, “you can’t manage what you can’t measure,” many believe that Sarbanes-Oxley—and especially the subsequent Auditing Standard No. 2—have created measurement overkill.
The tried-and-true method of management by measurement is by documentation: the theory that companies should document how things are supposed to be done, then lay down the yardstick and see if reality measures up to the standard. That, in essence, is what SOX and AS2 require with regard to internal control over financial reporting.
It proved to be a tripping point for a number of companies in 2005. In a Compliance Week analysis of 400 companies that reported material weaknesses in internal control over financial reporting, 67 said their material weaknesses were related at least partly to problems with documentation.
AS2 specifies the kinds of documentation auditors should seek when assessing a company’s internal controls. It says management should have documented how its controls are designed; how significant transactions are initiated, authorized, recorded, processed, and reported; how transactions flow through the organization with an eye on where misstatements could occur; and what controls are in place to prevent or detect fraud, protect the closing process, and protect assets. AS2 also instructs auditors to look for the results of management’s own testing and evaluation of those controls.
The standard says documentation can take on any number of forms, whether on paper or in electronic files or other media, and can include items such as policy manuals, process models, flowcharts, job descriptions, and other forms and documents.
Technically speaking, the documentation requirements aren’t exactly new, says Tim Leech, chief methodology officer for Paisley Consulting. The Foreign Corrupt Practice Act of 1977, for example, includes a requirement for companies to have a working system of internal controls. What’s new, Leech says, is the level of detail AS2 requires—not to mention the level of enforcement.
Leech
Leech says the FCPA was seen as akin to dentists advising patients to floss daily. “It would be a good thing to do, but no one was held accountable to doing it,” he says. Sarbanes-Oxley now puts executives on the firing line over sloppy controls, with criminal liability created by their Section 302 certifications that controls do work.
Piling It On
In addition to documenting internal controls over financial reporting, SOX also requires companies to have the traditional documentation of recorded account balances. But Allen Shoulders, director of 404 tax services for Ernst & Young, says he suspects that the vast majority of companies reporting documentation problems are tripping over the internal control documentation, since that is the newest and largest area of documentation requirements.
Shoulders says companies are essentially required to show documentation of four areas to comply with SOX: the policies and procedures that govern their accounting; the processes themselves and how they work; evidence that the controls are in place and working; and evidence that the controls have been tested.
The third and fourth areas are where companies most likely are lacking adequate documentation, Shoulders says. “It’s possible companies have controls but have not done an effective job of assessing controls. Maybe management didn’t take the testing seriously enough but often it’s just a lack of documentation.”
Shoulders
In addition to AS2, Auditing Standard No. 3, Audit Documentation, also comes into play, Shoulders adds. “One thing it requires is if a control is not documented, it is presumed not to have existed or functioned,” he says. “Management could have everything in place, but if it’s not documented, auditors can’t rely on it.”
Bob Dohrer, a partner with the accounting firm McGladrey & Pullen, says auditors may see gaps in documentation of controls, but they must evaluate the significance of the control to determine if its poor documentation rises to the level of a material weakness.
“What really leads to a lack of documentation or a finding of inadequate management documentation is a control deficiency,” he says. “Then management and the auditor have to evaluate the significance of the deficiency. It rises to the level of material weakness if management has not demonstrated it can adequately monitor the effectiveness of the internal control.”
AS2
Below is the section of Auditing Standard No. 2 that discusses documentation of internal controls.
42. Management’s Documentation. When determining whether management’s documentation provides reasonable support for its assessment, the auditor should evaluate whether such documentation includes the following:
The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. The documentation should include the five components of internal control over financial reporting as discussed in paragraph 49, including the control environment and company-level controls as described in paragraph 53;
Information about how significant transactions are initiated, authorized, recorded, processed and reported;
Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur;
Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties;
Controls over the period-end financial reporting process;
Controls over safeguarding of assets; and
The results of management’s testing and evaluation.
43. Documentation might take many forms, such as paper, electronic files, or other media, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. The form and extent of documentation will vary depending on the size, nature, and complexity of the company.
44. Documentation of the design of controls over relevant assertions related to significant accounts and disclosures is evidence that controls related to management’s assessment of the effectiveness of internal control over financial reporting, including changes to those controls, have been identified, are capable of being communicated to those responsible for their performance, and are capable of being monitored by the company. Such documentation also provides the foundation for appropriate communication concerning responsibilities for performing controls and for the company’s evaluation of and monitoring of the effective operation of controls.
45. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures is a deficiency in the company’s internal control over financial reporting. As discussed in paragraph 138, the auditor should evaluate this documentation deficiency. The auditor might conclude that the deficiency is only a deficiency, or that the deficiency represents a significant deficiency or a material weakness. In evaluating the deficiency as to its significance, the auditor should determine whether management can demonstrate the monitoring component of internal control over financial reporting.
46. Inadequate documentation also could cause the auditor to conclude that there is a limitation on the scope of the engagement.
Source
AS2: Audit Of Internal Control Over Financial Reporting (PCAOB; As Of May 12, 2006)
Ultimately, Dohrer says, auditors have great difficulty determining that management has a control if the company hasn’t documented the control. The documentation is evidence that management has identified its controls and can communicate them to the people responsible for executing them, he says.
Dohrer
“If management has not documented those controls, how can they say they can monitor those controls when there’s no documentation for controls to monitor against?” he says.
Enter The Cost Factor
Leech says documentation requirements are at the root of the painful cost increases companies have reported to comply with Sarbanes-Oxley. That is partly because the guidance is directed toward the auditors rather than directly at management, he says.
Indeed, one chief criticism of SOX is that it has allowed auditors to insist that companies document every control they can find. Bombarded with fierce complaints on that point, the Securities and Exchange Commission has promised to make amends by the end of the year. It has targeted Dec. 13 to issue management-focused guidance on how to implement the internal controls provisions of SOX, and is working with the Public Company Accounting Oversight Board to revise AS2.
“The only criteria auditors have had is the same standard they are judged on, which is AS2, because there has been no guidance for management,” Leech argues. If a company doesn’t do the same amount of control documentation that auditors themselves must do to arrive at their own audit opinion, “then the auditor has to give a failing grade. The auditor could conclude that management’s documentation has to be at least as great as they themselves have to have to pass a PCAOB inspection.”
Leech is the principal author of a position paper published by the Institute of Management Accountants and submitted to the SEC as a suggestion for how to revise SOX implementation, and make it more management-focused and less driven by audit requirements. The documentation would be scaled back dramatically in the IMA’s view.
To illustrate the enormity of the documentation requirements of SOX and AS2, Leech likes to draw an analogy to homeowners documenting all the measures they have taken to assure safety within their homes, such as protection they might have in place against fire, slips and falls, cuts, and so forth.
“Can you imagine if every household in America had to do a formal risk analysis, even if it was only for fire prevention?” he asks. “It would have to be good enough that your local fire department would consider it a reasonably robust analysis of all the risks. Could you imagine what that would look like? That’s a pretty accurate analogy” of what Sarbanes-Oxley and AS2 have meant for public companies.
No comments yet