Changes in current professional standards finally recognize the importance of entity-level, organizational controls rather than just detailed control
procedures during the auditing process.
“When Section 404 audits first became
mandated under Sarbanes-Oxley, the first
go-rounds were extremely detail-oriented
and expensive,” says James P. Martin, CMA,
CIA, CFE, CPD, CFFA, senior manager with
Cendrowski Corporate Advisors LLC.
Realizing that the requirements were costly
and burdensome, the Securities and
Exchange Commission voted unanimously
on July 25, 2007, for a new auditing standard, the Public Company Accounting
Oversight Board (PCAOB) Auditing
Standard No. 5, to increase the accuracy of
financial reports while reducing audit costs,
especially for smaller public companies.
According to the SEC Web site, the commission expects Standard No. 5, in combination with the commission’s new management guidance, to make Section 404 audits
and management evaluations more risk-based and scalable to company size and
complexity.
“In many cases, organizational failure is
not due to details but because of management actions — management is not leading
properly,” Martin says. “This new approach
to auditing takes how well a company is
managed into account.”
Smart Business asked Martin how organizational controls fit into the picture.
What are the keys to strong organizational
control?
According to the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) framework, internal
controls consist of five components: the
control environment, risk assessment, control activities, information, and communication and monitoring. In the control environment, monitoring is very important at
the top. That’s where organizational control comes into play. Organizational control
is about how well a company is managed,
not about policies and procedures. It has to
do with management’s understanding of
how everyone in the organization is doing.
Recognizing where opportunities for error
— either intentional or not — can occur
while determining accounting policies is an
art, not a science.
How can a company define its entity-level
controls?
Identify the things that should be happening in the company. Organizational control just helps the leaders manage more
conscientiously and with more rigor. Most
managers try to lead by example but don’t
realize the impact that their actions have
on employee behavior. People are in tune
much more greatly than management
thinks. Keep in mind that organizational
control is not always about written policies. Consider a company that has a code
of ethics in writing. If what they do and
believe is the complete opposite of what is
put in writing, what’s the use?
How are entity-level controls assessed?
You can verify certain aspects of entity-level controls, such as the monthly closing
process or monitoring controls, such as
internal audit and the audit committee procedures. Others, such as management’s
tone at the top or the ability of management or others to override control procedures are a little softer. For those controls,
you will need to talk with people either in
structured settings or informally. Often-times, companies will do surveys to gauge
employee satisfaction. Surveys are OK, but
they won’t necessarily tell you how
employees really feel.
What are the consequences of not having
organizational controls?
Organizational controls are in essence
the moral code of the organization and
define what people should do when no one
is watching or a procedure is not specifically defined. Without strong organizational controls, you run the risk that because
something is not explicitly defined,
employees may think they can do whatever they want. The risk is that there will
always be some case or situation that is
not explicitly defined in the procedures.
Documented policies and procedures are
still essential, but by providing higher guidance, running a ‘concept-based’ versus a
‘rules-based’ organization and giving your
employees the resources they need to do
their jobs properly, you’re setting the stage
for better operations that can be refined
where necessary.
What type of ‘credit’ does a company earn for
having organizational controls in place during the audit process?
According to the PCAOB, Standard No. 5
was designed to achieve four objectives:
focus the internal control audit on the most
important matters, eliminate procedures
that are unnecessary to achieve the intended benefits, make the audit clearly scalable
to fit the size and complexity of any company, and simplify the text of the standard.
With Standard No. 5, if you can demonstrate to the auditor that you have high-level organizational controls in place, you
can avoid detailed documentation of internal controls. This should save the organization tremendous time and audit fees.
JAMES P. MARTIN, CMA, CIA, CFE, CFFA, is a senior manager with Cendrowski Corporate Advisors LLC. Reach him at (800) 717-1607 or [email protected] or go to the company’s Web site at www.frauddeterrence.com.