For companies with a December fiscal-year end, the time has come to begin testing key controls over external financial reporting to remain compliant with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404).
For many, compliance with SOX 404 represents an administrative burden; one that can only be lightened by paring down the number of key internal controls that are tested. To do so, companies must successfully differentiate between those internal controls that are key, and those that are not.
Defining Key Controls
“A key control is one that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements will not be prevented or detected on a timely basis,” said J. Stephen McNally, finance director/controller for Campbell Soup, and the Institute of Management Accountants’ (IMA’s) representative on the COSO Internal Control Integrated Framework Refresh Project Advisory Council. “Key controls are those that provide reasonable assurance that material errors will be prevented or detected on a timely basis and significantly impact your ability to maintain a solid internal control environment.”
McNally believes that in order to determine which controls are key, organizations must first establish their objectives and then identify the risks that could prevent achievement of these objectives. Once risks are known, the organization can then decide which controls best mitigate the risk.
Paring Down Key Controls
For many organizations, identifying which controls are key to mitigating risk is as much of a process as testing those controls. The secret to identifying these controls is continuous review and improvement.
“If an organization wants to streamline its SOX 404 compliance efforts, the first step is to create a comprehensive inventory of control activities currently being performed,” said McNally. “Once you have an inventory of where you are starting, you can work with the process owners and other subject matter experts to assess which of the existing controls are critical, which ones are ‘nice to have’ and which ones are redundant or unnecessary and therefore should be eliminated.”
During this process, management and/or the internal auditing team should ask the following questions:
- What are the risks to external financial reporting?
- How are these risks being addressed?
- How could they be addressed more effectively?
This process of continuous review and improvement may identify areas that are well-suited for IT investments. Ultimately, doing so could replace numerous manual processes with one automated solution.
Testing Key Controls
By identifying those controls that are key, and paring down the other control activities accordingly, an organization can streamline their internal control environment and likely need to test fewer internal controls from a SOX 404 perspective. This can minimize the administrative burden of SOX 404 compliance and ultimately benefits the organization as a whole.
“The benefits of control self assessment (CSA) testing go beyond compliance with SOX,” said McNally. “For one, it drives accountability among process owners and others involved in executing control activities. It can also be used as a training tool and can help to ensure internal controls are sustained as staffing changes occur. Most importantly, it gives stakeholders peace of mind that the internal control system is in fact reliable.”
For organizations to fully realize these benefits, McNally suggests developing a CSA testing plan that enables management to assess the effectiveness of key controls over the course of the year.
“I say this for two reasons. One, it spreads out the work. Two, it helps to ensure you will have time to address or correct issues that may arise before the CEO and CFO must sign-off on the design and effectiveness of the organization’s internal control system in conjunction with SOX compliance requirements,” he said. “At the end of the day, this isn’t just about complying with SOX. It’s also about developing a stronger internal control environment.”
To print a PDF, click here.