Fat risk, lean controls.
That’s what Bruce McCuaig said SEC guidance and Public Company Accounting Oversight Board standards should be looking for—risk in this case being the rigorous inventorying of compliance risk. It’s not what he found.
McCuaig, chief risk officer for governance, risk, and compliance software firm Paisley, did some word counting recently. In particular, he sought out the ratios of the words “risk” and “control” in Basel II, Australia New Zealand 4360, PCAOB Accounting Standard No. 2, and the PCAOB AS5 that supersedes it.
Basel II says “risk” 1,500 times and “control” 67 times; in ANZ 4360, risk won 307 to 7. That’s they way it should be, McCuaig said.
AS5, though an improvement over AS2, mentions risk 168 times, a number dwarfed by the 635 mentions of control.
“I want to reverse that ratio,” he said to the audience gathered at Compliance Week’s 2007 Conference. “I want to have three times as many risks as controls.”
Despite AS5’s good intentions, he said, “We’re overmedicated on control. Maybe the medication will cure us, but we’re vastly overmedicated.”
Still, AS5 is an improvement of AS2, McCuaig said. Most fundamentally, he said, is its shift of focus from bottom-up to top-down. Bottom-up meant considering controls first and risk later. Top-down means looking at company-level risk first and working down to controls from there.
AS5 is simpler, shorter, and more principle-based than AS2, McCuaig said. It requires just one opinion on an internal control and more reliance on others. It clarifies others, and there’s more focus on fraud. Though consistent and compatible with SEC guidance, it is more definitive, “MapQuest” versus the SEC’s “head west.”
“Basically we think the power struggle is over, and management we’ve seen inevitably taking an AS5-type approach over the SEC approach, McCuaig said.
McCuaig boiled down his fat risk/lean control idea into 10 essentials for internal control over financial reporting with AS5. The steps:
Develop precise, lean entity-level controls. Such controls are more detailed than those offered by the likes of COSO, McCuaig said, and probably already exist in well-run businesses, though perhaps not in the accounting function. A lean control involves management monitoring, process-owner testing, and self-assessment.
Ensure a lean, strong control environment. McCuaig described this as “hardening” the control environment. Doing so involves developing detailed criteria to identify and assess all elements of a control environment, identify and report issues, and seek out and deal with bad behavior.
Use fraud risk scenarios. McCuaig said companies should know precisely how they would counter any number of not-good scenarios, including executive pressure for “creative” accounting, altered shipping dates, major debt-covenant breaches or the creation of fake customers. They should be confident enough in that knowledge to present it to the board of directors.
Assess the risk associated with period-end processes. Forty-one percent of deficiencies stem from problems with periodic financial processing, McCuaig said. Stanching the flow requires a much more detailed consideration than in the past, including the “fat risks” of incorrect calculations; incomplete, invalid, or missing transactions; cut-off errors; and incorrect interpretation of regulations, among others.
Focus on significant accounts. Account size is only one consideration, McCuaig said. Risk factors include the exposure to losses, the volume and complexity of activity, the use of the account—is management compensated based on how much money is in it?—and error history, he said.
Assess significant risks. For significant accounts, what can go wrong? What could happen if a significant account were misstated? Controls should be assigned only after a consideration of specific risks, and the probability of the risk happening, he said. Risk assessment should be the job of the company itself, and not external auditors who almost always lack the insight to do a proper job, McCuaig said.
Limit relevant assertions. Anybody with a keyboard can create an assertion these days, McCuaig said. Relative risk must come into play. He suggested applying a “reasonable possibility” test to assertions, and a senior executive should approve all assertions. Only 20-25 percent of assertions pass that test, he said; those that don’t should be removed from Sarbanes scope.
Identify significant locations. As with significant accounts, the largest location may not be the most significant. Companies should consider the quality of an internal control, the susceptibility to fraud, and the number and type of employees, among other factors.
Assess the risk associated with IT general controls. IT generates perhaps 5 percent of deficiencies, McCuaig said. “There’s a huge amount of work being done, but I’m not sure how much of it should be for IT,” he said. In general, he would rather focus controls on people than systems, he said.
Keep score—track deficiencies. This involves tracking deficiencies, identifying concentrations or absences of them, addressing root causes, and developing a deficiency reporting policy, McCuaig said.
No comments yet