HOW TO EVALUATE AND CONCLUDE ON THE OPERATING EFFECTIVENESS OF YOUR COMPANY LEVEL MONITORING CONTROLS (Part 1 or 2)
As part of your SOX compliance efforts, don’t forget about your Company level monitoring controls. Instead of merely highlighting what Company level monitoring controls are, I thought it would be more informative to share an actual evaluation and conclude summary included in the SOX Conclude Binder portion of one of my previous clients.
CLIENT ABC’s EVALUATION SUMMARY OF THEIR COMPANY LEVEL CONTROLS
Client ABC’s Company level controls were divided into two categories:
- Entity-level controls including the tone at the top, the assignment of authority and responsibility
- Process-level controls that exist and operate across an entire organization.
These controls establish policies and monitor locations to ensure compliance with corporate and location-specific policies regarding the design and operating effectiveness of internal control over financial reporting. The company level controls consist of company-wide programs and controls, centralized processing and controls, and monitoring controls.
The company’s testing strategy for key controls at the process level were predicated first on the results of the Entity Level Control assessment, then on the results of the assessment of Company Level monitoring controls and finally on the effectiveness of the Company’s Financial Statement Close Process.
Entity Level Control Assessment
As part of the management’s Entity Level Control Environment controls (including the tone at the top, the assignment of authority and responsibility) the design and test of operating effectiveness was evaluated as follows:
All employees, regardless of their location, receive communication from senior management pertaining to the following:
- Conflicts of interest and anti-competitive guidelines
- Appropriate ethical behavior
- Insider trading.
Senior management also enlisted the help of the Company’s employees to learn of deviations from Company policy that may affect financial information and commits to them that employees who communicate their suspicions in good faith will not be harmed for doing so.
Suggested board-approved policies that address significant business control and risk management practices included:
- The Board of Directors meets quarterly to address significant business issues, and non-director members of senior management also attend.
- The Board also:
a. Reviews SEC filings prior to submission
b. Meets with external auditors to review and approve the scope of their work
c. Meets directly with key members of financial management on a periodic basis, including the chief financial officer and chief accounting officer
d. Reviews the external auditor’s management letter
e. Reviews the Company’s annual budget and three-year plan.
In addition, the Chairman of the Audit Committee is one of the contacts of the Company’s “whistleblower” program, and the Audit Committee is update by Internal Audit on a periodic basis.
As part of the management’s Entity Level Monitoring controls the design and test of operating effectiveness was evaluated as follows:
- Monthly, as part of their Financial Reporting Package, each division’s Controller and CFO were required to submit certain financial and non-financial information and sign a list of representations stipulated by Corporate.
- Annual budget and 3-year plan were prepared before commencement of the applicable fiscal year and were reviewed by the Board.
- Annual budgets and forecasts by division were prepared before commencement of the applicable fiscal year and were updated at least quarterly. Budgets were compared to actual and analyzed on a monthly basis, and significant variations were explained.
- Bi-weekly forecasts for each division with variances to budget, last year and last forecast were performed. No significant variances go unchallenged by the COO and CFO.
- The CFO also conducts quarterly earnings meetings with divisions for full review of expenses, capital expenditures, trends, competition, etc.
The entity monitors controls through the activities of the internal audit function, the audit committee, and self-assessment programs.
Monitoring of controls involves internal audit and/or self-assessment processes to determine that the underlying controls (e.g., controls related to authorization and the completeness and accuracy of data) at the process level (and across locations) were in place and operating as intended.
As part of the management’s Entity Level Risk Assessment process (which identifies, analyzes, and manages risks across all locations) the design and test of operating effectiveness was evaluated as follows:
- Monthly, as part of their Financial Reporting Package, each division’s Controller and CFO were required to submit certain financial and non-financial information and sign a list of representations stipulated by Corporate.
- The Company’s president and COO conduct monthly meetings with each of the divisions’ presidents.
- Furthermore, the CFO conducts quarterly earnings meetings with each division’s CFO.
Based on the assessment, Entity level controls are considered to be properly designed and operating effectively to create an effective control environment.
Part 2 of how to evaluate and conclude on the operating effectiveness of your Company Level controls will focus on the assessment of Company Level monitoring controls and finally on the effectiveness of the Company’s Financial Statement Close Process.
While your Company will more likely than not have its own assessment specifics for Company Level Monitoring controls, the case study presented here should serve as a guideline to assist you in your own assessment.
See more about SOX-Expert TaskMap Edition here
Dan Anderton is a partner at SOX Experts LLC and our guest blogger today.
For more information contact Dan at 203-894-1992 or at danderton@sox-expert.com
