Another Hurdle on the Road to Compliance: Assessing Company-Level Controls
Sarbanes-Oxley Section 404 requires senior management at public companies to state their responsibility for establishing and maintaining adequate internal control over financial reporting and disclosure, to assess the effectiveness of their companies' internal controls for the current fiscal year, and to identify the framework used to make this evaluation. To meet these requirements, many companies have adopted or customized the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework. This framework consists of five components: control environment, risk assessment, control activities, information and communication, and monitoring.
The PCAOB states that adequate consideration must be given to all components of the COSO framework, including detailed control activities at the process and transactional level as well as other components of COSO - known collectively as company-level controls. In its guidance to external auditors, PCAOB notes that, "when determining whether management's documentation provides reasonable support for its assessment, the auditor should evaluate whether such documentation includes ... the five components of internal control over financial reporting."1 The PCAOB also suggests that "it may be appropriate for the auditor to test and evaluate the design effectiveness of company-level controls first," adjusting its approach for evaluating the other aspects of internal control over financial reporting accordingly.2 Finally, PCAOB notes that, "ineffective company-level controls are a deficiency that will affect the scope of work performed [by the external auditor], particularly when a company has multiple locations or business units."3 In sum, management's documentation must encompass each component of internal control in the framework selected - such as within COSO - because each element is equally important.
Regarding company-level controls, they are those controls that permeate the organization and have a significant impact on the way in which an organization achieves its financial reporting and disclosure objectives. These controls are exemplified by the control environment itself, including the tone at the top, corporate codes of conduct, corporate policies and procedures, the assignment of authority and responsibility, fraud prevention efforts, and other companywide programs that apply to all locations and business units. Company-level controls are also exemplified by management's risk assessment processes, controls to monitor the results of operations, and controls to monitor the functionality of other controls, including control self-assessment programs and internal audit reviews. Finally, these controls are exemplified by senior management, audit committee, and overall board oversight activities.
Steps to Compliance
There are six major steps on the road to company-level controls compliance. Generally speaking, these steps encompass building a company-level controls assessment structure, documenting the design of these controls for the organization, testing the effectiveness of these controls, and engaging in gap remediation and continuous improvement efforts. Specifically, these steps include the following:
Define Project Plan & Key Milestones: Consistent with any major initiative, the first step toward compliance entails planning - outlining the project plan, including key activities and timelines, and identifying key milestones. This step helps to better assess the resources needed to complete the company-level controls effort and gauge a team's progress compared with expectations. Unlike other projects, however, the key activities in the project plan may represent overlapping tasks performed in parallel instead of a series of sequential activities. For example, determining the existence and nature of a process or transactional-level control typically takes place before collecting evidence to test its effectiveness. But, when it comes to company-level controls, collecting evidence may occur at any point during the overall compliance effort. In other words, some evidence - such as codes of conduct, corporate policies, organizational charts, board and audit committee charters, and so on - may facilitate the building of a customized assessment structure and provide insight into the design of an organization's company-level controls, in addition to representing evidence that supports the effectiveness of these controls.
Build a Company-Level Controls Assessment Structure: To methodically assess company-level controls, a formal assessment structure is needed within the context of the overall internal control framework adopted by management. To build this assessment structure, first, review appropriate authoritative literature, including COSO's Internal Control - Integrated Framework,4 the PCAOB's Auditing Standard No. 2,5 and the Sarbanes-Oxley Act itself. In addition, solicit input from any of the company's consultants who provide subject matter expertise for overall Sarbanes-Oxley compliance efforts and the company's external auditors. Finally, leverage insights from peers at other companies, attend seminars focused on company-level controls compliance, and research other available tools - such as KPMG's www.404institute.com Web site, for example.
Once built, a customized assessment structure will likely consist of 20 to 30 objectives across four components of COSO - excluding the control activities component. Collectively, these control objectives will represent management's control expectations for achieving Section 404 company-level controls compliance. As such, management will need to formally assess the design and operating effectiveness of each company-level control objective individually. Then, assuming management can conclude that it meets each objective based on these assessments, management can also conclude that the organization's company-level controls are adequate overall.
To facilitate management's assessment, each company-level control objective should be supported by underlying points of focus. These points of focus often reflect best practices with regard to company-level controls, and, in all cases, represent key considerations in examining a given objective. For example, one control environment objective may be that "through its attitudes and actions, management demonstrates character, integrity, and ethical values." This objective could then be supported by several points of focus, including "management sets the appropriate tone at the top," "management maintains codes of conduct and other policies regarding acceptable behavior," "management follows ethical guidelines in dealing with employees, suppliers, customers, and others," "management removes or reduces temptations that might cause staff to engage in unethical acts," and/or "management responds timely and appropriately to violations of the company's code of conduct." Before making an overall assessment for a given objective, management should carefully consider each point of focus and the implications of any best practice controls that seem to be missing outright.
Obtain Input Regarding the Design of Company-Level Controls: At many organizations, gaining insight into the design of company-level controls is more challenging than assessing detailed process or transactional-level control activities because such controls are not readily apparent and little consideration has been given to them in the past. That said, a variety of sources and techniques can be used to facilitate this effort. First, leverage Section 404 and other documentation already created to assess the organization's internal control activities. Then, review corporate policies, accounting policies, human resources policies, employee standards of conduct, organizational charts, internal communications, board materials, and other existing documentation. Finally, obtain additional input by interviewing appropriate subject matter experts. For example, representatives from the corporate controlling, internal audit, technology, legal, and human resource functions can provide insight into high-level oversight and other company-level controls performed at, or dictated by, management at the corporate level. Then business unit experts can clarify how such controls are implemented at the local level, such as how the local team translates the organization's entitywide strategies and objectives into local plans and activities. Finally, senior executives can discuss how they set the tone at the top, provide oversight, assign accountability, perform risk assessment, and directly influence the organization's company-level controls in other ways.
Document and Assess Company-Level Controls: The next step is to formally document and assess the design of an organization's company-level controls, preparing a response for each objective within the assessment structure built in the second step above. To do so, review the insights obtained via existing documentation and via the interviews held with functional experts, business unit contacts, and senior management. Then, examine each point of focus for a given objective, considering the adequacy of existing company-level controls relative to best practice expectations. In other words, for a given objective, assess whether the design of your organization's current controls is adequate as a whole. Finally, to the extent any gaps in the design of the controls are identified, document and begin implementing appropriate gap remediation plans as soon as possible.
Test Effectiveness of Company-Level Controls: Traditional validation testing is typically used to assess the operating effectiveness of controls at the process and transactional level, with the type and frequency of a control activity driving the extent of validation testing performed. Few company-level controls, however, lend themselves to selecting a sample size and then performing this type of traditional testing. As such, testing the operating effectiveness of an organization's company-level controls requires creativity. Specifically, try to leverage other techniques, such as observing a periodic disclosure committee meeting, interviewing members of the senior leadership team, reviewing board minutes, obtaining a copy of the organization's internal communications plan and evidence of its execution, selecting a sample of reported improprieties to assess management's response, conducting an employee survey, or performing other tests as deemed appropriate. An organizationwide survey, in particular, can provide solid evidence regarding the effectiveness of company-level controls, enabling management to gauge employee awareness regarding the company's mission, vision, and core strategies; awareness of, and adherence to, the company's code of conduct; and awareness of and comfort using the company's "whistle-blower" hotline. An organizationwide survey can also provide a benchmark to measure the improvement of company-level controls over time.
Engage in Gap Remediation and Continuous Improvement: If gaps are identified while assessing the design of an organization's company-level controls or while testing the operating effectiveness of these controls, initiate gap remediation efforts as soon as possible. Also, in the true spirit of improving overall corporate governance, recognize that there is a difference between having adequate and best-in-class company-level controls. To that end, maintain a continuous improvement mindset, looking for ways to make the process for assessing company-level controls more efficient and for ways to make the controls themselves more effective.
Documenting and assessing company-level controls is key to overall Section 404 compliance. More importantly, focusing on the effectiveness of management's oversight activities, risk assessment processes, and other company-level controls, financial officers are likely to find ways to enhance these controls and, ultimately, improve an organization's overall governance. For a public company, stronger corporate governance should translate into stronger business results and increased shareowner value. For a nonprofit organization, stronger governance should increase the organization's ability to realize its mission. Thus, identifying and assessing one's company-level controls, performing gap remediation as needed, and maintaining a continuous improvement mindset benefits public companies, private companies, nonprofits, and other organizations alike. So get jumping, the hurdles are getting closer!
1 PCAOB Release 2002-001, Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, March 9, 2004, p. A-23 to A-24.
2 Ibid, p. A-27.
3 Ibid, p. A-28.
4 Committee of Sponsoring Organization's of the Treadway Commission's Internal Control - Integrated Framework, two-volume edition, 1994.
5 PCAOB Release 2002-001, Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, March 9, 2004.
J. Stephen McNally, CPA, is a director of finance for Campbell Soup Co.'s Campbell U.S.A. Division, and is a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at firstname.lastname@example.org