HOW TO EVALUATE THE OPERATING EFFECTIVENESS OF YOUR COMPANY LEVEL MONITORING CONTROLS AND DRAW CONCLUSIONS (Part 2 or 2)
As part of your SOX compliance efforts, don’t forget about your Company level monitoring controls. Instead of merely highlighting what Company level monitoring controls are, I thought it would be more informative to share an actual evaluation and conclude summary included in the SOX Conclude Binder portion of one of my previous clients.
CLIENT ABC’s EVALUATION SUMMARY OF THEIR COMPANY LEVEL CONTROLS
You’ll recall that Client ABC’s Company level controls were divided into two categories:
- Entity-level controls including the tone at the top, the assignment of authority and responsibility
- Process-level controls that exist and operate across an entire organization.
These controls establish policies and monitor locations to ensure compliance with corporate and location-specific policies regarding the design and operating effectiveness of internal control over financial reporting. The company level controls consist of: company-wide programs and controls, centralized processing and controls, and monitoring controls.
In Part 1, we focused on Entity Level Control assessment. Based on that assessment, Entity level controls were considered to be properly designed and operating effectively to create an effective control environment.
In Part 2, we will focus on the assessment of Company Level monitoring controls and finally on the effectiveness of the Company’s Financial Statement Close Process.
Company Level Monitoring Controls Assessment
To achieve a level of comfort of the operating effectiveness of the Company Level monitoring controls that can be relied upon, the following criteria were considered:
Relevance:
1. Is the monitoring control designed and performed effectively?
2. Is the monitoring control appropriately reviewed?
3. Is the reviewer of the monitoring control competent (testing via inquiry of the reviewer)?
Frequency:
1. Is the monitoring control performed frequent enough?
2. Is the monitoring control reliable/repeatable (testing via observation or re-performance)?
Precision:
Is the monitoring control sensitive enough to detect a significant error, deficiency, or fraud?
As part of the management’s Company Level Monitoring controls, the design and test of operating effectiveness were evaluated considering the following:
- The monthly and quarterly CFO analytical reviews of P&L activity and balance sheet accounts.
- The process performed to ensure that all G/L accounts were appropriately reconciled to support.
- The process to ensure that all journal entries were properly supported and approved.
- The process to ensure that the divisions G/L balances were properly classified in the corporate Hyperion system.
- The ongoing review by management of the appropriateness of employee systems access and segregation of duties were performed.
These Company Level Monitoring controls were tested independently by internal audit and determined to be
- Designed and operating effectively (Relevance)
- Operating at a level of precision to identify significant errors (Precision)
- Sufficient frequency to detect a significant error, deficiency or fraud (Frequency).
Company Financial Statement Close Process
In addition to the Company Level Monitoring controls, as part of the Company’s Financial Statement Close Process, the design and test of operating effectiveness were further evaluated as follows:
- All topside entries made by Corporate Accounting were supported by a proposed entry form and/or supporting data from the Division requesting the topside entry. Entries under $1M were approved by the Assistant Controller of Internal Reporting and entries over $1M were approved by the Controller, or his/her designee, who reviews the supporting documentation documented on the closing control checklist retained in the consolidation binder.
- Corporate Accounting reviews financial statements for comparability and consistency of account balances and groupings. Financial statements were reconciled to the general ledger, and this review and reconciliation was documented.
Each month the divisions submit Reporting Packages to Corporate Accounting based upon the deadlines established by the financial statement closing calendar. Corporate Accounting:
1. Logs and tracks receipt of these packages
2. Reviews for consistency with current reporting package standard and inclusion of all requested schedules and checklists
3. Advises the Controller of any open items for immediate follow-up
All submitted reporting packages to Corporate Accounting include:
1. Appropriate Divisional CFO signoffs indicating the completion of their review and approval of all submitted data
2. Confirmation of adherence to all Company accounting policies
3. Management’s representations to the completeness of all significant account reconciliation, including appropriate statement of all significant account balances
All received reporting packages were reviewed and signed off on by the Controller or his designee.
All submitted reporting packages provide the following sensitivity analysis:
1. On the income statement, a variance analysis is provided for any variance greater than $500,000 or 10% compared to budget, forecast and prior year for the current quarter and for year-to-date.
2. On the balance sheet,
a. A breakdown analysis is provided on any balance of $5,000,000 or more
b. A variance explanation analysis is provided for any variance greater than $50,000 or 5% compared to prior year and last year-end.
c. Supplemental variance analysis is provided for inventory and A/R reserves and rollforward.
Company Overall Controls Assessment
Based on the Part 1 Entity Level Control Assessment and the Company Level Monitoring Controls Assessment, management concluded that
- There process was relevant to address process level risks
- At a sufficient precision level to detect at least “more than inconsequential” errors in financial reporting
- With sufficient regularity (monthly) to enable timely detection of error or fraud.
While your Company will more likely than not have its own assessment specifics for Company Level Monitoring controls, the case study presented here should serve as a guideline to assist you in your own assessment.
See more about SOX-Expert TaskMap Edition here
Dan Anderton is a partner at SOX Experts LLC and our guest blogger today.
