While everyone wants to reduce compliance costs related to The Sarbanes-Oxley Act of 2002 (SOA), specifically Section 404 of the Act, Year Two for most accelerated filers is shaping up to be a year of incremental improvement as management takes a hard look (1) at the number of controls they classified last year as “key controls,” (2) at their testing scopes, (3) at their deployment of internal and external resources, and (4) at specific testing tools and techniques. We expect this self-examination to increase the efficiency and reduce the cost of testing. However, it will not drive substantive improvements in the financial reporting process and in the underlying control environment.
Our fear is that companies will end up designing their compliance process around an already high-cost internal control structure. A narrow compliance focus will forever embed high processing and compliance costs. Now is the time to consider the longer-term view as to where the organization’s financial reporting processes and internal control structure need to be, so that appropriate improvements can be considered while the budget process for next year is underway. This issue of The Bulletin focuses on some of the opportunities companies should consider as they plan for Year Three of Section 404 compliance.
Start with a goal
During the annual budget cycle, companies should examine the value proposition of increasing quality, compressing time and reducing costs within their business processes – while simultaneously reducing financial reporting risk. While this opportunity has always been available, management can now add up the hours required to perform testing of manual detective controls, price out those hours, and project the costs into the future discounting for present value. Because the total cost will be huge for many companies, management should break down the costs into meaningful components to understand the impact of improving process performance on compliance cost-effectiveness. The greatest opportunity for redirecting the compliance process lies in manually driven areas which are data intensive and high-volume in nature.
There are three primary strategies for re-evaluating these labor-intensive testing activities. For example:
- Companies can eliminate the testing altogether through (i) the risk assessment process if the area is low risk and does not warrant testing or (ii) the scoping process by filtering out controls that are not significant and, therefore, do not warrant testing.
- Companies can also reduce the extent and/or alter the timing of testing with alternative sources of evidence. For example, they can deploy self-assessment, entity-level monitoring and/or process-level monitoring to provide evidence to management that key controls are operating effectively before a single independent test is performed.
- Finally, companies can streamline the organization’s processes by eliminating nonessentials and simplifying, focusing and automating the essential process activities. Process improvements can alter the under lying controls if a manual process is automated. For example, as we pointed out in Issue 2 of Volume 2 of The Bulletin:
- As organizations eliminate nonessentials, they will examine the need for redundant controls.
- As they simplify, standardize and automate their processes, there will be greater emphasis on preventive controls (versus the detective controls that institutionalize costly and non-value-added rework into processes) and increased emphasis on systems-based controls (versus the more costly error-prone people-based controls).
- As efforts to eliminate rework and build quality into the process occur, companies will reduce the number of manual journal entries required to close the books, streamline account reconciliation activity, deploy avail able automated controls and reduce the number of spreadsheets by transferring spreadsheet functionality into the organization’s ERP system where it belongs.
- As all of these changes occur, there will be a better mix of preventive and detective controls as well as of auto mated and manual controls, leading to more efficient controls testing.
For most accelerated filers, we believe that strategy (a) is primarily what’s being emphasized during Year Two. However, there isn’t as much evidence of widespread execution of strategies (b) and (c). With this in mind, we suggest below several ideas to consider when planning for next year.
Optimize automated controls
Are you deploying the systems-based controls embedded within your financial management ERP solutions that, if properly executed, would support compliance and reduce the need to rely on redundant manual controls? The idea of increasing reliance on automated controls is not new. The re-engineering trend of the nineties focused on enabling functionality, giving rise to the prevalence of enterprise resource planning (ERP) systems such as SAP, Oracle, PeopleSoft and others. Although these systems mechanized many corporate activities, the automation of controls continued to be a stretch goal that never seemed to gain traction. Therefore, these controls frequently are not configured to operate.
Today is a new era. SOA requires an annual assertion as to the effectiveness of internal control over financial reporting (ICFR) and a quarterly executive certification of disclosure controls and procedures. Given the traditional reliance in the past on manual controls and tedious sample-based tests of those controls, management must execute an expensive compliance approach every year. The alternative is to re-evaluate the controls portfolio with an eye towards balancing the mix of automated and manual controls. This is important because an automated control takes approximately 75% less time to test than a manual control. To illustrate:
- Manual controls require an inspection of each sample occurrence, often embedded in reams of documents, whereas an automated control only requires a one-time observation of a configuration setting.
- Testing of a remediated manual control requires additional sampling versus the real-time resolution and retesting of online controls.
These savings can quickly add up. Because Year Two efforts are unlikely to modify significantly the controls portfolio, controls automation should be a Year Three priority.
To shift the control structure and the associated testing toward increased reliance on automated controls, management should (a) request input from the appropriate functional and unit managers and process owners to identify the best opportunities, (b) investigate alternative technology investments and (c) prioritize opportunities based on an analysis of costs and benefits. Our advice on controls automation is to start planning for it now.
Improve process-level monitoring tools
Are you maximizing the use of automated monitoring tools and data analytics to evaluate the results of data-intensive, high-volume transaction processes on a more comprehensive and substantive basis, and thereby eliminating the need for performing labor-intensive block vouch tests of controls?
For processes like accounts payable, cash applications or payroll, management should plan for a shift to continuous monitoring. This shift is accomplished through the following steps: (a) source the key financial reporting and operational risks within the processes (which should already be addressed in the Year One Section 404 documentation), (b) understand the key attributes that must be analyzed on a comprehensive basis to ascertain whether the key process risks are reduced to an acceptable level, (c) identify the alternative technology tools that will perform the necessary functions, (d) evaluate the alternative tools and related systems implications and (e) decide on the frequency of monitoring, e.g., daily, weekly, monthly or quarterly. Include these steps in your business plan for next year.
Use of continuous monitoring tools will replace manual testing and reduce substantially the need for periodic auditing. While this exercise reduces the number of hours required to perform manual testing of key controls (by 50 percent or more, depending on the situation), the real objective is cost-effective process performance, not cost effective compliance. The comprehensive coverage of continuous process-level monitoring makes the testing process value-added because it can lead to operational improvements. This shift from compliance to quality is what the “Project to Process” vision is all about.
To illustrate, a U.S. manufacturer with $800 million in annual sales and multiple business units and divisions used continuous process monitoring to identify duplicate vendors, inactive vendors, data anomalies that could indicate fraud and other issues to improve compliance and operational efficiency.
Among other things, the company received the following:
(a) detailed information on spending by vendor, by business unit, by division, by state allocation, and by SIC code; (b) an identification of duplicate and inactive vendors; (c) a duplicate payments analysis and identified control deficiencies; (d) a claim resolution root cause analysis; (e) a fraud analysis; (f ) an identification of lost and missed discounts; and (g) an identification of strategic sourcing opportunities. The result was reduced compliance costs, greater assurance and improved governance.
Improve financial process effectiveness
While everyone talks about adding value in just about every business endeavor, the volume of such dialogue is noticeably lower with respect to financial reporting processes. These processes have received short shrift for years compared to the core operating processes that deliver products and services to customers. We suggest there is a strong link between (a) improving process quality, time and cost performance and (b) strengthening the effectiveness of ICFR. One cannot be done without doing the other.
Most companies have not had sufficient time to explore the relationship between business process performance, internal control quality and compliance cost-effectiveness. This link age is critical to the “Project to Process” transition that will drive value-added results. Therefore, companies should build into their business plans a step to take a look at the warning signs that value is being left on the table, as illustrated by the ten indicators provided in Issue 2 of Volume 2 of The Bulletin (available at www.protiviti.com). For example, the indicators included (a) general ledger close cycle times falling significantly below peers, (b) high error rates in financial transaction processes such as accounts payable, cash application and payroll, and (c) high-cost activities due to structural redundancies, complex manual procedures and nonessential tasks. Other examples include excessive use of spreadsheets and a higher than normal use of manual, non-standard journal entries.
Why is this so important? Companies have opportunities to improve process performance by building-in (versus inspecting-in) quality, compressing time and reducing costs within their processes – and all of this while simultaneously reducing financial reporting risk. While this is a crossroad for all business processes, it is especially evident for processes supporting financial reporting. With process maps and other Section 404 documentation making financial reporting processes more transparent than ever, the business plan should incorporate steps to (a) take an objective look, using a suitable list of value-add indicators, to identify opportunities for improving the operating efficiency and effectiveness of business processes affecting financial reporting, (b) prioritize the improvement opportunities, (c) assess the value proposition for priority opportunities based on expected costs and benefits, and (d) fund and staff the effort to make the selected improvements happen.
Pay attention to security
For companies with (a) a significant or complex IT infrastructure, (b) significant electronic Intellectual Property or sensitive data, (c) an eCommerce portal/product or eBusiness partners, (d) credit card information processing operations or (e) operations in a regulated industry (e.g., health care or banking), new vulnerabilities in computing/networking devices are identified weekly. For companies with recent, current, or planned major IT projects or with major decentralized IT organizations, major IT projects implemented by separate business units (rather than a centralized IT function) or major IT project implementations outsourced to vendors or consult ants, management must ask the following question: Are we comfortable that security is being adequately addressed in all of our IT project initiatives?
The question is an important one. A National Institute of Standards and Technology study in 2004 indicated that poor security reliability costs the economy $59.5 billion annually. A Carnegie Mellon study, also in 2004, estimates the percent of total project costs due to inadequate requirements is 25 percent. By contrast, the costs associated with appropriate security engineering and design from pre-implementation planning through the go-live point are approximately 7 to 10 percent of total project costs.
When planning for next year, management should plan to conduct a security assessment, particularly if it is unclear when the last time network security testing was performed, there have been recent changes or upgrades to the IT environment, the network security is outsourced, dial-in access is predominate in the organization or the organization has a wireless network implementation. Management should also (a) determine that the company is getting its money’s worth from a security standpoint, (b) ascertain that all critical security elements are being tested, and (c) understand how off-site employees, contractors or locations are getting into the company’s computing systems. Remember: Security is rarely implemented after a project “goes live” into production. So management should identify who is responsible for the engineering and design of IT security for new projects within the enterprise and ensure they are adequately staffed and funded to get the job done. If there are IT security issues, management should plan to take the necessary steps to increase the efficiency and effectiveness of profile management practices. Management should also examine the merits of a scorecard of appropriate security metrics.
Implement a self-assessment process
Here is another question: Is your enterprise utilizing self-assessment to keep its process owners engaged? We know that some managers answer “yes” to this question under the premise that pushing down the quarterly executive certification into the organization for other people to sign is a self-assessment process. We respectfully suggest it isn’t. As explained in Issue 1 of Volume 2 of The Bulletin:
Systematically applied across the organization at the entity and process levels, self-assessment is a pre-determined approach whereby individuals self-review or self-audit the controls for which they are responsible AND communicate the results to appropriate management. In response to the upward reporting of process owner assessments, follow-up is taken where necessary. Used in combination with an effective entity-level monitoring process and periodic controls testing, self-assessment is a powerful and flexible element of an ongoing Section 404 compliance program because it enables certifying officers to receive, from people who should know, a comprehensive statement that key controls are in place and operating effectively.
Therefore, self-assessment is process-based because it is linked to key controls identified in the Section 404 documentation. The approach is a “chain of accountability,” because the process owners responsible for the key controls report on their effectiveness.
If self-assessment is not currently deployed, management should incorporate a step in next year’s plan to take a close look at how to deploy self-assessment in the organization to provide a source of evidence that key controls are in place and operating effectively. Self-assessment should be an integral component of a balanced test plan in which independent tests of controls are only one element of the total body of evidence available to management. The use of self-assessment should enable management to alter the nature, timing and extent of independent tests of controls in all low-risk areas and in many moderate-risk areas. For example, some companies are planning to reduce independent controls testing by up to 50 percent or even more next year, with self-assessment as an important component of the revised test plan.
Consider other ideas
We have suggested that senior management take a fresh look at how to elevate the compliance activity to another level.
Management should consider the above five areas when developing the plan for next year. There are other areas. For example, among other things, management should:
- Evaluate the nature and extent of segregation of duties issues within the organization and determine whether changes are necessary and/or feasible.
- Review entity-level controls, including entity-level monitoring (which is applied by senior management versus the process-level monitoring applied by process owners), in areas where improvements have been suggested either by the external auditors or by others.
- Strengthen the anti-fraud program with emphasis on prevention and deterrence.
- Review the period-end financial reporting process for opportunities to compress closing cycle time and strengthen controls over management override.
- Align the internal audit plan with management’s Section 404 test plan, consistent with the demands on the function.
- Improve the change recognition process and define responsibilities for evaluating the reporting implications of change.
The above summary is by no means complete. The point is, management should start with a longer term view of the financial reporting and compliance processes and incorporate appropriate action steps into the business plan for next year to ensure progress will be made.
Consider the effect on the test plan
In addition to building into next year’s business plan the various action steps suggested above, another important step should be considered. Management should plan to evaluate the impact of implementing the various steps on the test plan. As pointed out in Issue 4 of Volume 2 of The Bulletin, a balanced test plan consists of three elements – process owner self-assessment, monitoring (both entity-level and process-level) and independent testing (both automated and manual controls). Thus the effect of each step taken on the cost-effectiveness of the test plan is an integral part of the value proposition for making improvements.
An organization’s self-assessment program and monitoring capabilities provides a strong foundation for its compliance environment. The stronger that foundation and the greater the maturity of its business processes (i.e., the extent to which they are defined and managed), the less independent testing is needed to support management’s assertion regarding the effectiveness of ICFR. As noted earlier, when senior management can see the full cost of labor-intensive tests of manual controls, the value proposition for a balanced test plan will become clearer.
Following are a few points explaining how a test plan is balanced to help management achieve a cost-effective compliance process:
- If effective continuous monitoring is in place at the entity and process levels, management has available more transparency in the performance of financial reporting processes and controls. This transparency reduces risk and provides evidence regarding financial reporting assertions that should be considered by management when planning the nature, timing and extent of independent tests of internal controls.
- The existence of process-based self-assessment provides still more transparency directly from the very people who are in the best position of anyone to know whether or not key controls are really working effectively. This transparency drives accountability and provides evidence regarding financial reporting assertions that should also be considered by management when planning the nature, timing and extent of independent tests of internal controls.
- The increased emphasis on eliminating errors at the source when improving financial process effectiveness compresses processing time and reduces the need for back-end manual controls, which in turn alters the timing or reduces the extent of independent tests of manual, detective controls.
- The improved mix of automated and manual controls leads to more cost-effective testing. When testing application controls, there is ordinarily no need for a large test sample if the general IT controls are designed and operating effectively. For example, evaluation teams may perform a “test of one” covering all conditions versus more extensive testing of a sample of manual controls. The reason for such scope reductions is that application controls are not subject to human error and risk of breakdown, provided they are designed, maintained and secured effectively.
- When entity-level controls, including audit committee oversight, the anti-fraud program and controls over the period-end financial reporting process, are improved, there is an attendant shift of focus to these important areas in the test plan along with corresponding reductions in tests of detailed transaction controls.
In summary, test plans become more balanced due to reductions in the scope of independent testing of process-level controls as a result of increased reliance on self-assessment and monitoring and an improved mix of automated versus manual controls and preventive versus detective controls. The increased focus on the quality of controls reduces financial reporting risk as well as the cost of control.
The message is clear: Make the choices that improve the quality, compress the time and reduce the cost of the financial reporting processes and of the underlying internal controls.
These choices reach beyond choosing to design a more repeatable, better defined and effectively managed compliance process. That design decision is obvious. However, if the design decision is made around the existing internal control structure, companies are very likely to end up disappointed in the results they achieve.
For most companies, the illusive key to cost-effectiveness does not lie within the constraints of the existing control structure. Senior management should avoid the mistake of limiting the focus to compliance and delegating responsibility for the “Project to Process” transition to middle managers with the usual mandate to reduce costs. The opportunity is much more than just streamlining the compliance effort. The risk we see is that companies will design an ongoing compliance process around a high-cost internal control structure. That approach will not achieve the results most executives want. The right choice is to commit to improving the quality of the internal control structure and design the compliance process around that improved structure. The only way to travel that road is to adopt a longer term view and begin building in appropriate expectations and action steps into the business plan.
Key Questions to Ask
Key questions for board members:
- Is the board satisfied that management is planning to emphasize adding value and increasing cost-effectiveness of the internal control structure versus wrapping a compliance process around the existing internal control structure?
- Has management benchmarked the performance of the enterprise’s business processes from a quality, time and cost standpoint to identify performance gaps? Has management sourced the root causes of significant gaps to identify opportunities to improve performance while simultaneously reducing financial reporting risk?
Key questions for management:
- Have you begun your planning and budgeting process for next year? If so, have you included in your plan and budget cycle appropriate expectations and action items to add value within your processes while improving sustainability of the internal control structure?
- We are aware of companies planning for reductions in compliance costs of up to 50 percent in Year Three (as compared to Year Two, which already reflects reductions from Year One) with a robust application of self-assessment as a key component in achieving such reductions. If you have not considered self-assessment as an integral part of your test plan, isn’t it time you did?
- Do you know how many hours your personnel are incurring performing sample-based block vouch testing of manual controls, and have you evaluated how improved monitoring can translate into reductions in your test plan of these labor-intensive tests? To illustrate, we are aware of examples in the purchase-to-payment cycle where continuous process-level monitoring results in reductions in the hours required to manually test key controls by up to 50 percent and even more, depending on the circumstances.
- An automated control generally takes 75 percent less time to test than a manual control, plus it reduces employee time to operate and supervise and is less susceptible to breakdown through human error and intervention if designed, maintained and secured effectively. Are you satisfied with your mix of automated and manual controls, particularly if your company utilizes an ERP solution, already deploys strong IT change and security general controls or applies manual controls in environments with high transaction volumes and risks?
- Experience shows that companies implementing finance best practice processing techniques have achieved average cost savings of about 30 percent. Have you taken an objective look at how you can improve quality, time and cost process performance while simultaneously reducing financial reporting risk?
- We are aware of reductions in month-end close cycle times of up to 70 percent where, in many situations, investments in technology are not required to achieve the savings. Are you satisfied with the elapsed time of your close process?
- In a high-volume process, such as accounts payable, performance data suggests that process quality issues may exist in nearly one of every five transactions. Have you looked at opportunities to improve processing quality while at the same time enhancing the sustainability of the internal control structure?
- There is empirical evidence that substantial costs are incurred as a result of poor IT security. Are you confident your organization is spending its security investments wisely and that all critical business processes are supported from a security standpoint?
The Bulletin (Volume 2, Issue 5)