| EXECUTIVE
SUMMARY |
 THE ASSESSMENT OF
COMPANY-LEVEL CONTROLS is a
critical part of complying with section
404 of Sarbanes-Oxley. The PCAOB says
public companies must assess the design
and operating effectiveness of these
controls in addition to examining
detailed process- and transactional-level
control activities. COMPANY-LEVEL CONTROLS ARE
THOSE THAT PERMEATE an
organization and have a significant
impact on how it achieves its financial
reporting and disclosure objectives.
These controls are exemplified by the
control environment itself including the
tone at the top, corporate codes of
conduct and policies and procedures.
CPAs CAN FOLLOW SIX STEPS TO
HELP ENTITIES comply with
company-level control requirements. These
steps are defining the project plan and
key milestones, building a structure to
assess the controls, obtaining input on
the design of company-level controls,
documenting and assessing the controls,
testing their effectiveness, and engaging
in gap remediation and continuous
improvement.
THESE STEPS ARE REQUIRED OF
PUBLIC COMPANIES, but private
companies and not-for-profit
organizations also can benefit by looking
at the process as a best practice that
leads to stronger governance and better
financial results.
|
| J. STEPHEN McNALLY, CPA, is
director of finance of Campbell USA, a
division of Campbell Soup Co. in Camden,
N.J. His e-mail address is j_stephen_mcnally@campbellsoup.com. This article is based on one
the author wrote for the winter 2005
issue of the Pennsylvania CPA
Journal. |
hat are company-level controls? How do CPAs go
about evaluating their effectiveness? As the
compliance deadline for section 404 of the
Sarbanes-Oxley Act approaches for some companies,
many have yet to face a critical hurdle: the
assessment of their company-level controls. The
Public Company Accounting Oversight Board says
public companies must assess the design and
operating effectiveness of company-level controls
in addition to examining detailed control
activities at the process and transactional
levels.
This article provides a
six-step process CPAs can use to meet this
critical aspect of section 404 compliance. The
steps are based in part on the author’s
experiences as director of finance for Campbell
Soup Co. Although only public companies subject
to section 404 are required to formally assess
company-level controls, nonpublic companies and
other types of organizations may wish to do
similar evaluations as a best practice.
A Role to Play
In what areas of
Sarbanes-Oxley compliance work was
internal audit involved during 2004?
Source:
PricewaterhouseCoopers LLP, 2004 survey
of 441 companies, www.pwc.com.
|
CONTROLS ARE EVERYWHERE
Company-level
controls permeate an organization and have a
significant impact on how it achieves its
financial reporting and disclosure objectives.
One example is the control environment itself,
which includes the tone at the top, the corporate
code of conduct, policies and procedures, the
assignment of authority and responsibility,
management’s risk assessment processes,
fraud-prevention efforts and other company-wide
programs that apply to all locations and business
units. Company-level controls also monitor the
results of operations and the functionality of
other controls, including self-assessment
programs and internal audit reviews. Oversight
activities by senior management, the audit
committee and the board also demonstrate these
controls.
Section 404 says senior
management at public companies must
 State its responsibility
for establishing and maintaining adequate
internal control over financial reporting and
disclosure.
Assess the effectiveness of
the company’s internal controls for the
current fiscal year.
Identify the framework used
to make this evaluation.
To comply, many companies have
adapted the COSO internal control framework and
its five components—control environment,
risk assessment, control activities, information
and communication, and monitoring.
The PCAOB says public companies
must give adequate consideration to all five
components, including detailed control activities
at the process and transactional level as well as
the other COSO components known collectively as
company-level controls. In Auditing Standard no.
2, An Audit of Internal Control Over
Financial Reporting Performed in Conjunction with
an Audit of Financial Statements, the PCAOB
says the external auditor should evaluate whether
management’s documentation includes all five
components of internal control over financial
reporting when determining whether it provides
reasonable support for management’s overall
assessment.
Auditors should test and
evaluate the design effectiveness of
company-level controls first and adjust their
approach for evaluating the other aspects of
internal control over financial reporting
accordingly. CPAs should consider ineffective
company-level controls a deficiency that might
affect the scope of work performed in an audit,
particularly when a company has multiple
locations or business units.
STEPS
TO COMPLIANCE
As part of the
internal process of ensuring compliance with the
company-level control aspects of section 404,
CPAs can recommend companies follow six steps. In
general the steps include defining key
milestones, building an assessment structure for
company-level controls, documenting control
design, testing control effectiveness and
engaging in gap remediation and continuous
improvement efforts.
Step
One: Define
project plan and key milestones. The first compliance step CPAs should
take involves planning—outlining the project
(including key activities and timelines) and
identifying critical milestones. This helps
assess the resources needed to complete the
company-level controls effort in a timely manner
and gauge the team’s progress compared to
expectations.
In this instance the key
activities in the project plan may represent
overlapping tasks to be performed in parallel
rather than in sequence. For example, management
typically needs to determine the existence and
nature of a process- or transactional-level
control before collecting evidence to test its
effectiveness. However, when it comes to
company-level controls, evidence collection may
occur at any point during the overall compliance
effort. Some evidence (codes of conduct,
corporate policies, organization charts and the
like) may facilitate the building of a customized
assessment structure or provide insight into the
design of the organization’s company-level
controls and also represent evidence to support
the effectiveness of these controls. For
instance, when we reviewed the charter for
Campbell’s audit committee, it provided
insight into the oversight activities this
committee performed, in addition to offering
evidence that such a document existed.
Step
Two: Build
an assessment structure for company-level
controls. To
methodically evaluate these controls, companies
need a formal structure within the context of the
overall internal control framework adopted by
management. To build this structure, CPAs should
first review appropriate authoritative
literature—including COSO’s Internal
Control—Integrated Framework, PCAOB
Auditing Standard no. 2 and Sarbanes-Oxley
itself—and solicit the input of the
company’s external auditors and any
consultants providing subject matter expertise on
the company’s overall section 404 compliance
efforts. CPAs also should talk to peers at other
companies, attend seminars on company-level
controls compliance and use other available tools
(for example, KPMG’s www.404institute.com Web site).
A customized assessment
structure likely will consist of 20 to 30
objectives across the four COSO components that
relate specifically to company-level controls
(excluding the control activities component).
Because these objectives represent
management’s control expectations for
complying with section 404 company-level
controls, management will need to formally assess
the design and operating effectiveness of each.
If management can determine it meets each
objective based on these assessments, it can
conclude that the organization’s
company-level controls are adequate overall. (See
the box below for an example of company-level
control objectives.)
To facilitate management’s
assessment, CPAs should support each
company-level control objective with underlying
guidance, or points of focus, representing key
considerations in examining each objective. For
example, one of Campbell’s objectives
related to the COSO control environment component
concerned whether management, through its
attitudes and actions, demonstrated character,
integrity and ethical values. This objective was
supported by several points of focus: Management
sets the appropriate “tone at the top”;
maintains codes of conduct and other policies
regarding acceptable behavior; follows ethical
guidelines in dealing with employees, suppliers,
customers and others; removes or reduces
temptations that might cause staff to engage in
unethical acts; and responds in a timely and
appropriate manner to violations of the
company’s code of conduct. When making their
overall assessment of a given objective, CPAs
should carefully consider each point of focus and
the implications of any best-practice controls
that seem to be missing.
Step
Three: Obtain input on the design
of company-level controls. Gaining insight into the design of
company-level controls is sometimes more
challenging than assessing detailed process- or
transactional-level control activities.
Company-wide controls often are not readily
apparent; management gave little consideration to
them in the past with the result that nobody
perceived them as formal controls, making them
harder to identify. To solve this problem CPAs
can leverage section 404 and other documentation
already created to assess the organization’s
internal control activities. For example, section
404 documentation covering the safeguarding of
cash, inventory and fixed assets can support the
company-level control objective that
management’s philosophy and operating style
are consistent with a sound control environment.
CPAs also can review corporate,
accounting and human resources policies; employee
standards of conduct; organization charts;
internal communications; board of director
materials and other existing documentation, as
well as interview appropriate subject-matter
experts. Representatives from the corporate
controlling, internal audit, IT, legal and HR
functions can provide insight into high-level
oversight and other company-level controls
performed at, or dictated by management at, the
corporate level. Business unit experts can help
CPAs understand how such controls are implemented
at the local level, for example clarifying how
the local team translates the entity-wide
strategies and objectives into its plans and
activities. Finally, senior executives can
discuss how they set the tone at the top, provide
oversight, assign accountability, perform risk
assessment and in other ways directly influence
the organization’s company-level controls.
At Campbell, for example, the
corporate controller explained how the company
established its corporate accounting policies,
the interaction between corporate and local
finance staff, the competency of financial talent
and, most important, the activities performed by
Campbell’s disclosure committee. The
corporate secretary and vice-president of audit
helped us understand risk management, fraud
reporting, management’s response to reported
improprieties, audit committee and overall board
oversight activities, and the development of
Campbell’s annual internal audit plan.
 Step
Four: Document
and assess company-level controls. The next step in the compliance process
is to formally document and evaluate the design
of company-level controls. CPAs should begin by
detailing the company’s control activities
that support each objective in the assessment
structure they built in step two.
To get started with the
evaluation process, review the insights you
obtained from existing documentation and
interviews with functional experts, business unit
contacts and senior management. Then examine each
point of focus for a given objective, considering
the adequacy of existing company-level controls
relative to best practices. In other words,
assess whether the design of the
organization’s current controls is adequate
for each objective. Finally, to the extent you
identify any gaps in the design of these
controls, document and begin implementing
appropriate remediation plans as soon as
possible.
Step
Five:
Test the effectiveness of company-level controls.
Traditional
validation testing is typically used to assess
the operating effectiveness of controls at the
process and transactional levels; the type and
frequency of a control activity drives the extent
of testing CPAs perform. But few company-level
controls lend themselves to selecting a sample
size and then doing this traditional testing.
Testing the operating effectiveness of an
organization’s company-level controls
requires creativity. CPAs must use other
techniques—observing disclosure committee
meetings, interviewing members of the senior
leadership team, reviewing board minutes,
obtaining a copy of the organization’s
internal communications plan and evidence of its
execution, selecting a sample of reported
improprieties to assess how management responded
or conducting an employee survey.
An organization-wide survey in
particular can provide solid evidence about the
effectiveness of company-level controls, enabling
CPAs to gauge employee awareness of the
company’s mission, vision and core
strategies; adherence to its code of conduct; and
use of its whistleblower hotline. A survey also
can provide a benchmark against which to measure
improvement in controls over time.
| AICPA RESOURCES |
CPE
Internal Controls: Design and
Documentation (text, # 731851JA). Internal Controls: Design and
Evaluation Under COSO and AS No. 2 (text,
# 732512JA).
Implementing SOX
404: An Advanced Analysis (webcast
archived on CD-ROM, # 737177HSJA).
Publications
COSO Enterprise Risk
Management: Integrated Framework
(paperback, # 990015JA).
Internal
Control—Integrated Framework
(COSO Report: paperback, # 990012JA).
How to Comply
with Sarbanes-Oxley Section 404:
Assessing the Effectiveness of Internal
Control (hardcover, # 029881JA).
Internal
Control Reporting—Implementing
Sarbanes Oxley Section 404
(paperback, # 029200JA).
PCAOB Auditing
Standard No. 2: A Guide for Financial
Managers (paperback, # 006619JA).
For more information or to order, go
to www.cpa2biz.com
or call the Institute at 888-777-7077.
|
Step Six: Engage in gap
remediation and continuous improvement. If you do identify gaps in the design of
company-level controls while testing their
operating effectiveness, you should initiate
remediation efforts as soon as possible. For
example, one control objective related to the
COSO control environment component involves
management demonstrating character, integrity and
ethical values through its attitudes and actions.
But, if management has not implemented an
anonymous whistleblower hotline or established
procedures for appropriately handling
improprieties reported via the hotline, there
likely is a gap in this company-level control. To
remedy the problem CPAs should help management
take appropriate actions, including setting up a
hotline, improving the handling of complaints or
establishing a timeline for responding to calls.
In the spirit of improving
overall corporate governance, CPAs need to
recognize the difference between adequate and
best-in-class company-level controls. CPAs should
focus on continuous improvement, looking for ways
to make the process of assessing company-level
controls more efficient and the controls more
effective. For example, although an
organization’s internal audit team may
already use a comprehensive risk-assessment
process to support the development of its annual
audit plan, it may be able to enhance the process
by using a detailed questionnaire on fraud risk
factors.
IMPROVED
GOVERNANCE
Documenting and
assessing company-level controls are key to
overall compliance with section 404. More
important, CPAs who focus on such controls are
likely to find ways to enhance them and
ultimately improve the organization’s
overall governance. Stronger corporate governance
for Campbell Soup and other public companies
should translate into stronger business results
and increased shareholder value. It could
likewise mean greater value for owners of private
companies and help nonprofit organizations
fulfill their mission. The bottom line:
Identifying and assessing company-level controls,
performing gap remediation and maintaining a
continuous-improvement mindset benefit public
companies, private companies, NPOs and other
entities alike.
|
| HOME | ARCHIVE | CONTACT | ADVERTISE | SUBSCRIBE | AICPA 
Through its attitudes and actions, management
demonstrates character, integrity and ethical
values.