December 07, 2006
Entity Level Controls for Smaller Companies
To help smaller organizations with key COSO areas, we are writing a series on Entity Level Controls with smaller companies in mind. The first in the series, this article, deals with Control Environment – the fundamental building block section to the COSO model. The second will provide explanation and examples on Risk Assessment. The third will walk through Information and Communication. The fourth will take a look at tailoring important Monitoring controls for smaller companies. The fifth and final section will deal with what happens when Entity Level Controls all go wrong. Specific questions may be posed to the author via email at cathyconnally@issuescentral.com
If your company needs assistance in the effective and sustainable compliance in SOX 404 or MI 52-109, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
First in a Series: Entity Level Controls: Control Environment
In a smaller company, the CFO and CEO have the benefit of being closer to personnel who are creating transactions. They tend to know more about the details of day to day business and will most likely know employees by name.
The COSO definition of an internal control is “A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.”
While larger companies have the benefit of more resources, the officers tend to know very little about the day to day details of the company. Furthermore, they tend to directly affect little on the average employee in a company. Therefore, they must rely on a pyramid of managers to provide “reasonable assurance” that internal controls are operating effectively.
Given the direct interaction that smaller company CFO’s and CEO’s have in many transactions and certainly directly with the employee(s) who create or effect transactions, then this can be converted into an advantage in an internal controls over financial reporting project through first designing and implementing effective Entity Level Controls.
The purpose of any ICFR (Internal Control over Financial Reporting) project should be to prevent and detect errors and fraud. If we keep this in mind, then having strong Entity Level controls and being able to prove it should be an important focus of our projects.
After a company has scoped the project using a Top Down Risk Based Approach in the financial processes and IT areas, it is extremely important as a first step in documentation to walk through and document a company’s entity level controls. Why? Because in a small company a CFO’s direct connection to day to day transactions means that they already have heavy involvement in the process level transactions.
Entity level controls are critical such that a small company can reduce risk by reliance on effective Entity Level controls and therefore rationalize the level of documentation of process controls. This means though that if heavy reliance on entity level controls is going to be utilized as an important part of “reasonable assurance” over ICFR, then entity level controls may one of the most important areas to document and test. This documentation can importantly supplement the documentation of the key area of the actual financial reporting process/disclosure controls areas themselves.
What are some of the key areas that a company should be including as part of its Entity Level controls review?
Back to basics would be to look at the elements of The COSO Internal Controls – Integrated Framework1 that apply in Entity Level Controls.
Control Environment:
Integrity and Ethical Values
Importance of Board of Directors/Audit Committee Operations
Management’s Philosophy and Operating Style
Human Resources Practices
Risk Assessment:
Importance of Financial Reporting Objectives
Identification and Analysis of Financial Reporting Risks
Assessment of Fraud Risk
Information and Communication:
Information Requirements in the organization
Information Control
Management Communication
Upstream Communication
Board Communication
Communication with Outside Parties
Monitoring:
Ongoing Monitoring Processes
Sub Certifications of Processes
Timely Reporting of Deficiencies
Note: Control activities that deal with the key process controls are generally not part of Entity level controls, thus the reason for the lack of inclusion of Control Activities (the fifth component of the original COSO model.)
We will examine a few of the key items in each of these areas in our series. These are some of the key areas that a company needs to review in one area of Entity Level Controls – Control Environment. Issues Central, Inc. Compliance Playbook® includes a complete best practice template as part of the software and content for companies to review/edit/perfect and include in their report of their Entity Level Controls.
Control Environment is the building block that all other aspects of the COSO model rest upon. A company with a strong Control Environment can rest its practices, policies and procedures upon a rock solid foundation. It provides a lens through which all behavior is judged.
The first area of Control Environment is Integrity and Ethics. If a company has a published Code of Conduct/Ethics that is reviewed at new hire orientations and signed by all employees prior to being added to the payroll, this sends an important signal to all who work at the company that this is important. Further, if once a year the code of conduct is signed again by each employee and reviewed by management, the proper ethical behavior is reinforced.
While smaller companies tend to be more informal especially in the areas of Control Environment, it is essential that ethics policies and enforcement are documented and implemented in a formal way. Formality is important in areas that cannot be compromised, such as integrity and ethics.
To put teeth into these formalized policies and procedures, deviation from code of conduct should be documented and dealt with appropriately by management. These are important actions that show the company has ethics policies, believes in them and will enforce them.
A second critical area of Control Environment is Management’s Commitment to Competence. If employees are important enough to rely upon to perform processes critical to financial reporting, then they should be important enough to invest in to educate and train them in the complexities that they face in the performance of their jobs.
Training plans or at least policies should be documented to assure that employees have the mandate and budget to attend training and education as required to perform the tasks as required by statute or standard.
Small companies tend to provide employees a great deal of opportunity to perform a great many tasks. They tend to have more varying responsibilities than a similar employee at a large company. The downside is that the level of expertise required by one individual at a smaller company may be quite extensive. Thus, the need for training in a variety of areas for key employees to perform their jobs at the level necessary to meet statutory requirements is critical.
A third critical area of Control Environment is Audit Committee Operations and Effectiveness. Audit Committees have the responsibility and liability for internal controls in a company. How directly they interact with the project varies with each company and may depend on their level of expertise in the ICFR area.
Critical areas for consideration to assure that Audit Committees operate effectively are to be sure they have a written charter. Without this in place, it is akin to taking a trip without a map. Another critical component is to be sure that the financial experts on the committee are indeed up to date with regulatory requirements and can ask the proper questions to assure Audit Committee obligations are met effectively.
Simple things such as written agendas and effective minutes are critical so that when the effectiveness of the Audit Committee is to be tested as part of an ICFR project, there is some evidence to review and prove the job is being done and done well.
Audit Committees should ask lots of key questions about financial reporting, external auditors and be able to meet privately with anyone they need to in order to discharge their responsibilities. They should hold impromptu meetings when critical issues arise.
The Audit Committee is a key part of the Control Environment as well as an important Monitoring control. It should be objective and unencumbered in its operation. These are key items to assure when reviewing its effectiveness.
A fourth area for careful review of Control Environment is Organizational Structure. For some small companies this may seem laughable. When there are so few employees in a company an organizational chart may be difficult to draft, this in and of itself should be cause for concern.
If a company is so small that it has very few employees, key expertise roles must be fulfilled by someone. It may be that these roles such as legal or tax may be outsourced. If so, then these should be referenced.
It may also be that reporting lines are fluid and many people fulfill many roles depending on who is available. This is a circumstance of living in a small dynamic company. However, when everyone is in charge then no one is in charge.
Someone must ultimately be responsible for key tasks which affect the company’s internal controls. If employees “fill in” for someone else, this should be documented. If this “filling in” causes problems in segregation of duties, then mitigating controls should be put into place to provide reasonable assurance that internal controls are in place and can operate effectively.
Regarding employees who approve transactions and are absent a great deal, this may be a fact of life. Given this circumstance, this authority should be designated and documented to the appropriate alternate employee(s). It should not be haphazard or undocumented. Otherwise, no one values the task of approving and little review and effort is expended to apply proper oversight.
Further, the key approver who was absent should be provided all transactions to review that have been handled by the designated surrogate. Some level of review and approval is necessary to assure some oversight. Otherwise, a fast moving company can find itself in the middle of a restatement or fraud. At that time, everyone will wish they had taken that time earlier to review work prior to the publishing of financial statements and disclosure to the public of critical information.
These are just a few of the key areas in Control Environment for companies to consider for inclusion in their documentation of Entity Level Controls. Testing effectiveness of these key controls allows a company to properly risk base their scoping of other process controls. This allows the right sizing of the COSO model to smaller company requirements while adding some formalization of controls, policies and procedures for smaller companies.
Compliance Playbook® and Compliance Partner ™ provide tools and best practices with complete sets of controls in Entity Level Controls as well as all key process areas. This expedites a smaller company’s ICFR project while maintaining quality. Further, the software and best practices provide a sustainable framework for the first year and ongoing years of ICFR projects.
Stay tuned for the next in our series of Entity Level Controls – Risk Assessment. We will examine how this important area can be tuned for small companies. If your company needs assistance in the effective and sustainable compliance in SOX 404 or MI 52-109, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
