Control self-assessment: Everybody pitching in with internal controls
By J. Stephen McNally, CPA
The fifth anniversary of the Sarbanes-Oxley Act has passed, and many continue to argue whether or not the benefits of the legislation outweigh the related costs. Although there is no clear answer to this yet, does it even matter? Establishing and maintaining strong internal controls over financial reporting and disclosure is critical for the success of any organization: public, private, and nonprofit alike. Adopting the principles and best practices promoted by Sarbanes-Oxley, including solid corporate governance, the ethical behavior of management, and the transparency of financial information, will enable senior management to become more accountable for, and aware of, the material information emanating from their companies.
To truly embed internal controls accountability in the fabric of an organization’s business processes, procedures, and culture, management should consider implementing a control self-assessment (CSA) program. Management should not think of this as another Sarbanes-Oxley requirement, but rather they should approach implementation as a more efficient business system.
In this spirit, the following highlights the benefits of having a CSA program and provides insight regarding the key steps to implementing such a program.
CSA is a management technique that can be used to assure key stakeholders, both internal and external, that an organization’s internal controls system is reliable. CSA is a sustainable process whereby management validates the operating effectiveness of its internal controls via testing. That is, each process owner and individual control owner within an organization performs effectiveness testing to verify that key controls are functioning properly, resulting in the detection or elimination of material misstatements.
Consistent with the requirements of Sarbanes-Oxley Section 404, management must first assess the design of the company’s internal controls system, clearly identifying major processes and the key controls within each. Then each process owner develops test scripts for each key control and engages a team to perform the given tests throughout the year. This allows management to verify that these controls are working as anticipated. A CSA program expands the role of operations management from merely assessing the design of its internal controls to testing and validating the effectiveness of its internal controls throughout the year.
Benefits of CSA
Whether or not your company is required by Section 404 to formally assess the design and effectiveness of its internal controls, creating and maintaining strong internal controls makes good business sense. A CSA program offers many benefits, including accountability for internal controls, sustainability of management’s compliance program, enhancement of training opportunities, decrease of regulatory compliance costs, and creation of a stronger controls environment.
Accountability - A CSA program increases the accountability of operational management over internal controls, in general, and process owner accountability and responsibility, in particular. One of the first steps in implementing a CSA program is to ensure that internal controls processes and procedures are established and clearly defined. Each process owner must understand the "big picture" process owned by his or her department, including each team member’s role and how various control activities performed by the team are linked together. Each process owner is then required to test the effectiveness of their controls, performing defined test scripts, collecting evidence, and verifying whether a given control is working as designed. The process owner is now personally responsible for monitoring and verifying the effectiveness of the department’s internal controls throughout the year, where as in the past, they would simply react to concerns or recommendations coming out of a periodic audit.
An effective CSA program brings the sense of internal controls accountability to each respective member of the process owner’s team. Those who are directly involved in processing transactions or performing the key controls for a given process are in the best position to validate the operating effectiveness of these controls. By including these individuals in the CSA process, they will gain a better appreciation for their roles as control owners, better understand their responsibilities, and become more controls-conscious.
Sustainability - An effective CSA program sustains Sarbanes-Oxley compliance, or similar efforts, by embedding the evaluation of internal controls effectiveness into everyday activities and routines. This sustainability results from several considerations. First, while implementing a CSA program, management is likely to identify opportunities to streamline and improve existing control activities, eliminating redundant efforts and mitigating any deficiencies. Second, the process of implementing a CSA program provides the process owner and individual control owners with a greater appreciation for their particular role within it. Third, an effective CSA program will hold individuals accountable for fulfilling their ongoing internal control responsibilities as well as supporting CSA efforts. Finally, ongoing CSA efforts are likely to generate additional insights on how to enhance and streamline the organization’s internal controls system. As such, implementing a CSA program allows management’s Sarbanes-Oxley compliance program to evolve from a project-driven effort to a sustainable process.
Training Tool - An effective CSA program can be an effective training tool. The process of implementing a CSA program and then performing CSA testing throughout the year helps those who process transactions to understand their role within the big picture, so that they can become more effective at performing their work. CSA also enables operating management, especially each process owner, to better understand their end-to-end process, the linkage between key controls and the roles fulfilled by each member of the team. Finally, CSA documentation can be reviewed by new members of a team so they can quickly get up to speed in regards to their overall role and internal control obligations. An effective CSA program ensures that internal control training, like the compliance effort overall, becomes part of the daily routine.
Cost of Compliance - Sarbanes-Oxley requires management to perform operating effectiveness testing of its internal controls system. To meet this requirement, many companies have engaged external consultants, burdened their internal audit function, or hired new staff. By implementing an effective CSA program, management can reduce or eliminate reliance on third parties, enable the internal audit function to focus on more pressing or strategic requests, and stem further headcount increases purely to facilitate compliance efforts. With a CSA program, effectiveness testing will be performed by many associates throughout the organization as part of their ongoing roles and responsibilities. Because a CSA program is widespread, the burden should not be overwhelming for any one individual.
Stronger Internal Control Environment - An effective CSA program is a win-win scenario because it both enhances the efficiency of the Sarbanes-Oxley compliance process and increases a company’s overall control consciousness. With the widespread involvement of management and staff, the organization will have better trained and motivated employees, especially if CSA responsibilities are measured and rewarded via performance reviews. In addition, CSA testing throughout the year enables management to identify internal control deficiencies and to promptly address any control failures. Indeed, CSA is more preventative than detective, in that staff become attuned to internal controls and begin identifying and correcting issues as they happen, rather than discovering the breakdowns later. An effective CSA program will enhance communications between operational and top management, and provide greater assurance to both senior management and external auditors that the organization’s internal controls are operating effectively.
Implementing a CSA Program
There are nine major steps to implementing a CSA program. These steps encompass defining the nature and extent of the organization’s CSA program, rolling out the program, performing the first round of testing and review, and then incorporating lessons learned before going through the process again. Specifically, these nine steps are outlined below.
Research CSA Models and Best Practices - There is limited formal guidance available regarding how to initiate a CSA program, but an external auditor may be able to provide insight or introduce you to other clients who have implemented such a program. Sarbanes-Oxley conferences and participating in professional organizations, such as PICPA, may also introduce you to contacts with CSA subject matter expertise. In other words, the best guidance will come from those who have already gone down the path of implementing CSA programs. Learn how they structured their program, what worked and what did not, and any specific suggestions.
Define CSA Scope, Principles, and Objectives - Each organization will be unique with regard to the scope, principles, and objectives of its CSA program. As such, there must be solid communication of, and alignment behind, all key aspects of the CSA program between all key stakeholders, including each process owner and individual control owner, internal and external auditors, senior management, and the company’s board of directors.
Define Roles and Responsibilities - One of the most critical steps in developing an effective CSA program is identifying and defining the roles and responsibilities of the key players in the process, including process owners, CSA business testers, and CSA business reviewers. Typically, a process owner should be a subject matter expert with strong project management skills and enough seniority to ensure that CSA efforts are prioritized, despite other demands. The CSA business tester will perform detailed CSA testing and document the results accordingly. The CSA business tester must have an appropriate balance between understanding the process and underlying controls to be tested and being independent enough to have a reasonable degree of professional skepticism. The CSA business reviewer must also have enough understanding of the process to perform an effective review, otherwise external auditors may find issues and will not be able to place reliance on the internal work performed. As such, the process owner is often the logical person to assign as CSA business reviewer for a given process.
After defining these roles within the new CSA program, determine what roles the internal audit function, any centralized Sarbanes-Oxley compliance teams, and others will play, if any. For example, internal auditors may formally assess the CSA work performed and issue an opinion accordingly, or they may simply include the underlying internal controls of a given process within the scope of an overall risk-based audit. Similarly, a centralized Sarbanes-Oxley compliance team may be the formal oversight of all CSA work performed, or may be a resource to operational management in implementing a CSA program. CSA programs can be structured in many different ways, so defining all key roles upfront and gaining alignment from all parties involved in the program is critical.
Schedule CSA Training and Program Roll-Out - After determining the overall structure, principles, and expectations of the CSA program, schedule the training and then formally roll out the program. When doing so, though, consider customizing the CSA training to meet the needs of the given audience. For example, those participants who lack audit experience may better grasp the specific requirements of your new CSA program if you first deliver basic training regarding the nature of internal controls and the objectives of the audit function.
Establish CSA Requirements by Functional Process - Once the process owners and individual control owners understand the key principles behind, and objectives of, the new CSA program, they can establish the CSA requirements for their given process. Specifically, they will need to define the test scripts to be performed for each key control objective within the given process, including predetermined sample sizes, specific test steps, evidence to be maintained, and what constitutes a pass or fail for each test. To the extent that management expects the external auditor to leverage the results of this testing, the sample sizes and frequency of tests should be appropriate.
Perform CSA Testing and Review - During a round of CSA testing, each CSA business tester should review existing internal controls documentation, including key controls and related test scripts, for each assigned area of responsibility. Then they should perform appropriate CSA testing in accordance with pre-established test scripts and formally document the results, maintaining related evidence as appropriate. Each tester, moreover, should discuss any potentially new internal control deficiencies with the process owner or individual control owner. Finally, to complete the round of CSA testing, the process owner or other appropriate individual should review the CSA testing documentation, including a write-up of testing performed, conclusions reached, and any supporting evidence.
Remediate Identified Internal Control Deficiencies - If internal control deficiencies are identified during the CSA process - whether through some concern over the design of the controls or failures identified while testing the effectiveness of these controls - initiate gap remediation efforts as soon as possible. Recognize that there is a difference between having adequate and having best-in-class controls. In other words, maintain a continuous improvement mindset, identifying ways to make internal control procedures more efficient and the internal controls themselves more effective.
Review Lessons Learned and Refine CSA Program - After developing and rolling out a new CSA program, and going through the testing, formally solicit feedback and review the lessons learned. Next, based on this insight, the CSA program can be refined to enhance its benefits to the organization. For example, you may learn that those process owners who lacked prior audit experience struggled while identifying the key controls in their process or while defining test scripts to verify the effectiveness of these key controls. As such, you may want to modify your CSA training and support for that given audience.
Do It Again - An effective CSA program is a sustainable process for monitoring and testing the effectiveness of internal controls. To that end, although you must determine the appropriate frequency of performing CSA testing (such as two or four rounds of testing per year), each process owner and team needs to do it again.
Whether you are motivated by a desire to meet your company’s Sarbanes-Oxley compliance requirements in the most cost-effective manner, or simply because you know that having a strong internal control environment will help your organization operate in the most efficient manner possible, consider implementing a CSA program. By implementing an effective CSA program, you can embed internal control accountability deep into the organization, ensure the sustainability of your internal controls compliance efforts, provide a training tool to ensure new and existing associates conceptually understand the importance of their role, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much stronger internal control environment, giving assurance to all key stakeholders, internal and external alike, that the organization’s controls are operating effectively.
About the author
J. Stephen McNally, CPA, is finance director and controller for Campbell Soup’s Napoleon, Ohio, operations, and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at firstname.lastname@example.org.
Reprinted with permission from the Pennsylvania CPA Journal