It has been almost two decades ago that the Sarbanes-Oxley Act (SOx) was passed in the US to protect shareholders and public at large from fraudulent corporate practices and to improve the financial disclosures. The topic continued to stay in the spotlight with the recent discussions in the UK on how to further strengthen the internal control framework for financial reporting purposes. Similar discussions also took place in the Netherlands and are reflected in the final report of the Netherlands' Committee for the Future of the Audit Sector. No conclusion has been drawn for now, but should the 'Dutch SOx' be introduced in the Netherlands, would your organization be prepared?
All companies – no matter the industry, size, or location – are faced with financial and fraud-related risks. The market, therefore, requires management to take appropriate action to mitigate these specific risks and to report transparently on the effectiveness of these actions.
Moreover, companies listed in certain countries need to comply with strict local laws and regulations. For example, in the United States and Japan, an auditor's opinion is required to provide assurance to the market and enforce management to take ownership for mitigation of these risks. In comparison to the aforementioned countries, listed companies in the Netherlands have to comply with a less strict Corporate Governance Code at this date.
But what if the Netherlands also want to increase the management accountability for internal controls, especially for listed companies?
What trends and discussions do we see?
For example, in the United Kingdom, the Department for Business, Energy and Industrial Strategy (BEIS) has published a policy paper in March 2021 regarding this matter. In this policy paper, which is currently in consultation, the BEIS provides three options to enhance the management accountability in relation to internal controls:
- the requirement of a management statement with a summary of their company's internal control effectiveness;
- the description in the independent auditor's report which contains the auditor's effort to understand the company's internal control systems and how this has influenced the audit; and
- the auditor's formal opinion on the management's annual statement on the effectiveness of the company's internal control.
In the Netherlands, a similar discussion is underway as reflected in the draft report from the Committee for the Future of the Audit Sector (CTA) stating that "the responsibility for the effectiveness of internal controls and the accuracy and completeness of the financial statements lies with the company itself. To emphasize the responsibility, management should issue an In Control statement similar to what is done in the US and which is checked by the external auditor". After the consultation phase, the CTA stated in their final report that the Dutch Corporate Governance Code already addresses the responsibility of management for implementing a framework for risk management & internal controls, but that the opinion on the effectiveness of this framework by the external auditor should be considered. However, more research is required before any decision will be taken.
On this subject, the opinion of the stakeholders involved varies; the investors support the recommendation of the CTA, whereas the representatives of the audited companies are critical towards the proposed recommendation. Various audit firms are, however, moderately positive towards the recommendation.
It appears that SOx types of regulations remain under discussion, which continues to take place in various countries. Whereas it is unclear how the discussion will impact the Dutch Governance Code, would it not be a good idea for Dutch listed companies to assess how far they are off from a SOx type of internal control statement?
We believe the following questions are useful in performing an initial assessment of an effective and value adding Internal Control over Financial Reporting (ICOFR) program:
1. Do you see an effective ICOFR program as valuable?
What is the value of implementing an ICOFR framework? Do you have an ICOFR operational strategy? What is your ICOFR purpose? Some companies view ICOFR as a compliance burden or a binary exercise. They view it as a task to complete.
We consider ICOFR to be more than that! Management should focus their attention on the areas that have the highest risks and the processes that can be improved, leading to better organizational performance, rather than what your external auditor or audit committee wants to see.
2. Is your organization's cultural 'tone at the top' aimed at discovering and addressing issues or at focusing on achieving a clean audit?
The true benefit of ICOFR is to enable and support process improvement, thereby decreasing risks and adding value to the business. However, even with the best set of controls, not every company can benefit from ICOFR if key personnel is not collaborating fully. And this culture should be conveyed by the top.
Executives should not be stuck in thinking about a clean audit, but put their emphasis on controls and remediation processes.
3. Do you know what are your top ten to twenty most critical controls?
Not all key controls are created equal. Some are more pressing than others, and ten to twenty make the list of the ones most likely to lead to a material weakness. By reprioritizing the most critical controls, management can spend more time focusing on enhancing the design of those controls, thereby maximizing the potential of each control for the overall benefit of the company.
4. Do you have a strong set of direct entity-level controls (ELCs)?
Since ELCs are complex and time consuming to document and test, ICOFR programs often do not include them, even though they are important to a well-balanced ICOFR program. Well-designed direct ELCs, operating at the right level of precision, can function as an 'insurance policy'. By re-evaluating these controls and making them more precise, they can truly defend the organization at a deeper level.
5. If you didn't test your controls, would you feel confident they would pass?
Testing every control in the organization is not scalable, nor consistent. Rather than testing, it is more valuable to spend this time educating control owners and process owners on why these control activities are being done. An ineffective control can be due to incorrect design, problems in the control environment, or cultural issues. These activities are much more valuable than detailed sample testing of controls.
6. Have you identified KPIs that would identify and monitor potential issues in your ICOFR program?
Defining control-related KPIs is one of the best ways to measure and monitor ICOFR program and control performance. KPIs draw a line in the sand between what's accomplished as compared to what isn't. More productive yet, they can narrow down areas where the process could be further enhanced. Monitoring controls can assess whether controls are failing elsewhere in the company.
An ICOFR program is an important program within your organization and could be considered as a periodic 'health check' on the organization's daily operations. Reflecting on the six questions above, should Dutch SOx be introduced in the Netherlands, would your organization be prepared?