ICOFR can be costly and many companies are looking for opportunities to reduce expenditures while maintaining compliance. But if companies do not continue to examine and evaluate their ICOFR programs, the natural tendency is for rising complexity and requirements to lead to rising effort and cost. Better strategy, governance, and performance can meet higher demands without a higher budget.
In the case of ICOFR, an unhealthy program can be expensive and increase the risk of a material weakness.
But beneath these risks are opportunities, as the journey to continuously improve and mature ICOFR programs can reduce risk, cut costs, and increase efficiency. A healthy ICOFR program can drive value through a positive impact on business processes and risk management and therefore on business performance.
This article will deal into how the evolution of Sarbanes-Oxley 404 (SOX) has impacted ICOFR programs and offers insights on how to evaluate whether your company’s ICOFR program is providing value as a mature, “healthy” program should.
Responsible individuals, even if they have not had serious health issues in recent years, still have regular medical check-ups. Similarly, companies whose ICOFR programs appear to be running smoothly should still periodically evaluate the health of their ICOFR program and control portfolio. In addition to identifying and correcting potentially unhealthy aspects of the programs or control problems before they occur, a well-designed evaluation (health check) can provide significant insights:
No company expects to discover costly and damaging weaknesses in its ICOFR program, but failures happen, even in companies that devote extensive and expensive resources to performing and testing controls. Several consecutive years without material weaknesses or significant deficiencies is no guarantee that a control issue is not looming, particularly if the company does not have a healthy ICOFR program.
The seven primary themes of material weaknesses are as follows:
|Lack of documentation, policies and procedures||“…a deficiency in the effectiveness of a control intended to properly document and review facts and apply the appropriate tax accounting unser accounting standards…”|
|Lack of accounting resources/expertise||“The Company did not maintain a sufficient complement of personnel with an appropriate level of knowledge of accounting, experience, and training commensurate with its financial reporting requirements…”|
|Material and/or numerous auditor year-end adjustments||“…we identified a material weakness in our internal control over financial reporting with respect to the application of complex technical accounting standards|
|IT, software, security, and access issues||“Insufficient information technology controls and documentation”|
|Issues around the segregation of duties||“The Company has not appropriately restricted access to the accounting applications to appropriate users and does not have processes in the place that ensure that appropriate segregation of duties is maintained.”|
|Inadequate control design or a lack of controls||“…The internal audit department did not develop its functions to comply with the analysis of the controls during the year, consequently, this limited the functions of the Audit Committee|
|Non-routine/ complex transitions||“Management has identified a material weakness in the internal control over financial reporting relating to the accounting for significant and complex transitions…”|
Understanding these themes can help companies take ongoing measures to reduce the risk of future errors. As an added benefit, these measures can also reduce the total cost of ICOFR and improve efficiency throughout the company.
Since the Sarbanes-Oxley (SOX) Act was passed in 2002, the related demands on companies and external auditors have evolved, as seen in the graphic below.
Without going into too much detail on each phase in the ICOFR evolution, it is still possible to identify several broad trends:
A thorough health check can identify the potential for a more effective and efficient ICOFR program. Answering the following questions will provide perspective on where your company's ICOFR program currently stands:
If your ICOFR program is merely seen as a necessary cost, then it is not demonstrably fulfilling its role of ensuring the reliability of financial statements and avoiding costly errors. An ICOFR program should serve management and the board by providing insights beyond compliance to enable and support process improvement, thereby decreasing risk and adding value to the business.
Even the best set of controls will not function well if key personnel are not collaborating fully. This culture should start at the top Companies with significant control issues often end up identifying the roots cause as senior management’s failure to place appropriate emphasis on controls and not allocating sufficient resources to fully remediate controls failures with sustainable processes.
Not all key controls are created equal. Some are far more likely to catch errors. The program as a while should show a visible difference in approach for the most critical controls. ICOFR programs often allocate the same amount of time and effort to all key controls, rather than designing, operating, and testing controls with a greater focus on the most critical areas.
Well-designed direct ELC operating at the right level of precision can function as an “insurance policy” to mitigates lower level control failures and keep them from becoming material to the company. These direct ELCs are often key operational controls that management relies on to run the business. Since they are complex ad time consuming to document and test, ICOFR programs often do not include them, but they are important to a well-balanced ICOFR program.
If you cannot answer yes to this question, or are concerned with testing your controls before the external auditor dies, it is a sign you are worried the controls are not operating effectively. In that case, you should consider the cause of this uncertainty, which may be incorrectly designed controls, problems in the control environment, or cultural issues.
Defining control-related KPIs is one of the best ways to measure and monitor ICOFR program and control performance. Monitoring controls can assess whether controls are failing elsewhere in the company. For example, how many terminated users are identified during a periodic user access review should be used to identify and address shortcomings in the regular employee termination process where access for those users should have been revoked.