With the books closing on many companies’ first internal control assessments under new, relaxed compliance guidelines, many chief financial officers are already pondering how to improve next year’s processes.
For some companies and external auditors, it means another round in the tug-of-war over risk, zeroing in on areas that present the most meaningful risk of errors that could have a material effect on financial statements. Since regulators gave new direction last summer calling for a more top-down look at internal controls with a sharper focus on risk, companies and auditors have sparred over just how to do that, each side usually claiming the other is resistant to change.
For companies further along in that debate, however, improvement in 2008 probably means moving to get more tasks and controls automated.
“That’s certainly a trend that is happening right now,” says Michael Fiore, national IT audit practice leader with CBIZ Risk & Advisory Services. “I’ve seen a lot of trends come and go, but with the pressure Sarbanes-Oxley has put on companies, there seems to be a tremendous shift in how to take significant applications and automate a lot of the control base.”
Last summer, the Securities and Exchange Commission and the Public Company Accounting Oversight Board revised compliance with Section 404 of SOX, which governs reports on and audits of internal controls. The SEC offered management guidance on how to assess internal controls, while the PCAOB rewrote its auditing rules. Both called for a less granular, more high-level look at the effectiveness of controls.
The new guidance got a lukewarm reception in some circles, with some companies and audit firms claiming they’d already shifted in that direction and didn’t expect to gain any more efficiency in the internal control reporting and auditing processes.
Todd Markus, vice president at consulting firm Accretive Solutions, argues that technology presents the only meaningful alternative. “There’s really nothing left to do to wring efficiencies out of this process other than automating controls and monitoring controls,” he says.
According to Markus, some companies are now pushing hard to end reliance on spreadsheets created outside of an enterprise resource planning system—such as those created via Microsoft Excel, which have poor security and version control standards. ERP systems generally tend to offer much functionality that companies have never put to work, he says.
“There are a lot of companies that have just used aspects of their ERP systems or other software to book general ledger entries,” he says. “They might have been doing billing or deferred revenue in other systems, largely because they were used to their spreadsheets. The path of least resistance is to just keep doing that.”
Markus says companies increasingly want ways to turn on more of the underused functions in existing systems, which means employing more automation and more monitoring controls. Not only does that curtail the typical fourth-quarter sprint to complete the internal control assessment, he says, it also reduces the close-out cycle and gives management more visibility into the data, which aids financial planning and analysis.
Below is an excerpt from Auditing Standard No. 5 that lists what the auditor’s report on the audit of internal control over financial reporting must include:
PCAOB’s Auditing Standard No. 5 (May 24, 2007).
Fiore says once companies integrate automated controls into an ERP program itself, they only need to be tested once. “You benchmark at the beginning, and once it’s tested, it doesn’t need to be retested in ensuing years if you can prove there’s been no function change in the application in subsequent years,” he says.
Companies could, for example, get considerable efficiency by automating the three-way vendor match function contained in most off-the-shelf programs, Fiore says. That’s where companies verify transactions against vendors to assure payments are made correctly and not inadvertently duplicated. “You turn that thing on, and it eliminates three or four steps in the process that companies are typically relying on from a manual standpoint,” he says.
The key is wise mapping of general ledger data, Fiore says. Companies could use more internal mapping features to map transactions to the general ledger, reducing reliance on manual reconciliation processes.
As with many technological innovations, corporate inertia can prevent companies from getting the most out of existing applications, Fiore contends. “A lot of companies aren’t trained or they’re worried about getting the application up and running,” he says. “They’re trying to fit existing processes into an application instead of looking at the application’s function and seeing how it fits their process.”
While some internal control experts see automation as a way to reduce the number of key controls that a company identifies as subject to SOX scrutiny, Joe Dupree of IT consulting and software firm Infogix sees the role of automation differently.
“Through automation, you’re more effectively able to cast a greater number of controls, to keep an eye on more things and use fewer people to do it,” he says. “The key is to deploy the same control in numerous ways throughout the financial reporting process.”
“If you’re able to employ automated controls in a standardized way, it helps drive down the cost of compliance,” he says. “You only have to train your auditors on one kind of control report, and anywhere those controls are deployed, they’re quickly up to speed to understand the controls.”
Therese Tucker, CEO and founder of software firm BlackLine Systems, says companies of all sizes are still surprisingly dependent on paper, manual processes to manage closing of the books. Companies could easily automate account reconciliation for low-risk accounts, leaving more time and muscle to analyze higher-risk accounts, she says. Tucker advocates more customized solutions.
“For a company to be able to use automation to automate some of their key controls, that technology does have to be specific to that control,” she says. “You can’t take a broad solution, wave a wand, and say ‘automate.’”
Companies can also get some new control efficiency by focusing more on monitoring controls, says Trent Gazzaway, a partner with Grant Thornton and project leader for guidance on monitoring that will soon be forthcoming from the Committee of Sponsoring Organizations (COSO).
COSO published a discussion document last fall on how companies could more effectively use the guidance in its internal control framework on monitoring controls as a way to ensure they are working properly. COSO says monitoring should be designed to determine whether components of internal control are operating properly and to communicate weaknesses in a timely manner so they can be corrected.
Gazzaway says companies can gain a lot of efficiency now by taking to heart the messages in the discussion document, even as the task force writing the guidance continues tweaking it for final release. The premise, he says, is that controls should be monitored continually to ensure they are working properly, not checked as part of a year-end compliance exercise. It not only improves the quality of control, but it makes the compliance process more efficient.
“Monitoring provides the people responsible with information they need to conclude the system is working the way it is supposed to and to provide a level of oversight,” he says. “If you can provide information to tell management that controls are working, it stands to reason that component is important to the external assertion that controls are working.”