Changes in current professional standards finally recognize the importance of entity-level, organizational controls rather than just detailed control procedures during the auditing process.
“When Section 404 audits first became mandated under Sarbanes-Oxley, the first go-rounds were extremely detail-oriented and expensive,” says James P. Martin, CMA, CIA, CFE, CPD, CFFA, senior manager with Cendrowski Corporate Advisors LLC. Realizing that the requirements were costly and burdensome, the Securities and Exchange Commission voted unanimously on July 25, 2007, for a new auditing standard, the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5, to increase the accuracy of financial reports while reducing audit costs, especially for smaller public companies.
According to the SEC Web site, the commission expects Standard No. 5, in combination with the commission’s new management guidance, to make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity.
“In many cases, organizational failure is not due to details but because of management actions — management is not leading properly,” Martin says. “This new approach to auditing takes how well a company is managed into account.”
Smart Business asked Martin how organizational controls fit into the picture.
What are the keys to strong organizational control?
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, internal controls consist of five components: the control environment, risk assessment, control activities, information, and communication and monitoring. In the control environment, monitoring is very important at the top. That’s where organizational control comes into play. Organizational control is about how well a company is managed, not about policies and procedures. It has to do with management’s understanding of how everyone in the organization is doing. Recognizing where opportunities for error — either intentional or not — can occur while determining accounting policies is an art, not a science.
How can a company define its entity-level controls?
Identify the things that should be happening in the company. Organizational control just helps the leaders manage more conscientiously and with more rigor. Most managers try to lead by example but don’t realize the impact that their actions have on employee behavior. People are in tune much more greatly than management thinks. Keep in mind that organizational control is not always about written policies. Consider a company that has a code of ethics in writing. If what they do and believe is the complete opposite of what is put in writing, what’s the use?
How are entity-level controls assessed?
You can verify certain aspects of entity-level controls, such as the monthly closing process or monitoring controls, such as internal audit and the audit committee procedures. Others, such as management’s tone at the top or the ability of management or others to override control procedures are a little softer. For those controls, you will need to talk with people either in structured settings or informally. Often-times, companies will do surveys to gauge employee satisfaction. Surveys are OK, but they won’t necessarily tell you how employees really feel.
What are the consequences of not having organizational controls?
Organizational controls are in essence the moral code of the organization and define what people should do when no one is watching or a procedure is not specifically defined. Without strong organizational controls, you run the risk that because something is not explicitly defined, employees may think they can do whatever they want. The risk is that there will always be some case or situation that is not explicitly defined in the procedures. Documented policies and procedures are still essential, but by providing higher guidance, running a ‘concept-based’ versus a ‘rules-based’ organization and giving your employees the resources they need to do their jobs properly, you’re setting the stage for better operations that can be refined where necessary.
What type of ‘credit’ does a company earn for having organizational controls in place during the audit process?
According to the PCAOB, Standard No. 5 was designed to achieve four objectives: focus the internal control audit on the most important matters, eliminate procedures that are unnecessary to achieve the intended benefits, make the audit clearly scalable to fit the size and complexity of any company, and simplify the text of the standard. With Standard No. 5, if you can demonstrate to the auditor that you have high-level organizational controls in place, you can avoid detailed documentation of internal controls. This should save the organization tremendous time and audit fees.
JAMES P. MARTIN, CMA, CIA, CFE, CFFA, is a senior manager with Cendrowski Corporate Advisors LLC. Reach him at (800) 717-1607 or CS@cendsel.com or go to the company’s Web site at www.frauddeterrence.com.