The Final Mile
As we end the month of January 2006, I can't help but think of the flurry of activity that will transpire in the next 45 days. For many public companies, this is 10K season. The December 2005 books have been closed giving way to year-end closing analysis and SEC reporting. It also means that we've entered the "final mile" of the SOX-404 efforts to test and assess internal controls over financial reporting (ICOFR). Will you pass? It is an ominous question that takes substantial time and effort to answer.
It would be hard to believe that anyone could anticipate the concert of activities necessary throughout the year only to culminate in what might be an austere final evaluation. Documentation, testing, remediation, retesting, update testing, meetings, meetings about meeting...
Relatively speaking, before the Sarbanes-Oxley Act of 2002 was implemented by any public company, life was simpler for those responsible for SEC reporting, Edgarizing, and MD&A. Today, audit committees, auditors, and company management alike pause deeply as they discuss the conclusions drawn as they discuss the evaluation of internal control deficiencies. To aid the evaluation process, version 3 of the whitepaper entitled "A Framework for Evaluating Control Exceptions and Deficiencies" was released in December 2004.
Have you read the whitepaper? If you're responsible for evaluating the magnitude of a potential error caused by control deficiencies that weren't remediated by year-end (or remediated, but lacked an insufficent frequency to conclude by year-end), you owe it to yourself and your organization to read it. Maybe you should read it twice if you did not participate in the excercise last year. The whitepaper provides a framework to quantitatively and qualitatively analyzing individual deficiences, at least anecdotally. However, it doesn't give much guidance on how one might be able to meaningfully aggregate individual deficiencies along attrbiutes such as COSO component, financial statement assertion, or significant account. That is the beginning of the "final mile".
My partner Dale Timmons had a good analogy for this "final mile". SOX 404 is like a three-hour comprehensive, end of year final exam. Consider that you are back in high school taking the toughest exam in your least favorite subject. Pick your weakest subject back then, and imagine the whole year's struggle of learning new concepts, writing detailed research reports, and taking pop-quizes. All of it was a prelude to the infamous, three hour, comprehensive, open-book, end of year final exam. Yikes! Before administering the exam, the good and fair teacher says three words, "Show your work."
Three hours later, the teacher calls, "pencils down" for the end of the exam. That's it, you're done answering and explaining. Now it's time to wait for your grade. And as you wait you silently wonder, "Will there be partial credit? What about extra credit? Is each question weighted the same?" Did you show your work?
You answered some questions well and other questions not so well. She gives you full credit for everything that was right, partial credit for showing your work on questions that were incomplete but showed logical application of concepts, and no credit for not answering a question or the flawed logic that demonstrated you were clueless.
OK. Snap out of that stroll down memory lane. Let's get back to the control deficiency evaluation process. There are several decision trees in the whitepaper referred to as Chart 1 -4. Chart 1 walks you through a series of questions to evaluate whether an exception is really a deficiency. Once you've determined that you have a deficiency, Charts 2 -4, take you through a series of questions based on the types of control - Process/Trasactional Controls, IT General Controls (ITGC), and Pervasive Controls other than ITGC (think soft controls).
Integral to the analysis for Charts 2-4 is the Prudent Official. If you perceive yourself to be the Prudent Official, you may "anectdotally" conclude a potential error caused by the deficiency is a garden-variety, inconsequential deficiency, or has a magnitude more severe to characterized significant or worse, a material weakness. I use the term "anectdotal" in this evaluation because one would apply company specific knowledge of circumstances and financial impact to hazard an opinion of whether the deficiency was inconsequential, significant, or material. But chances are you're really not the Prudent Official. The Pruduent Official is some independent party - likely your auditors.
Let's flashback to the high shool memory of that tough, comprehensive, three hour, open-book final exam. Your teacher is the Prudent Official. Guess what? The teacher likes you and knows you are a good student, but if you didn't show your work, she can't give you credit. Ouch!
The moral of the story - Show Your Work. The quantification process can be gruelling because each deficiency has it's own circumstance and anlysis effort. But the silver lining is being able to discuss the qualitative factors that help mitigate the risk and reduce the exposure error, thus allowing you to confidently defend management's assertion that internal controls over financial reporting are effective or acknowledge the weaknesses with a remediation plan.
- Build a uniform financial model in a spreadsheet or database that allows you to approach each deficiency evaluation the same way.
- When you get to the point in Chart 2-4 where you have to consider the magnitude of the deficiency, document your key financial data points - what are the quantitative brightlines? For some companies, values less than 1% of Net Income Before Tax are inconsequential and 5% and over is a material weakness. Discuss this matter with your management team and your auditor to come to a consensus.
- Take the time to really evalute the nature of the deficiency and boil it down to the significant accounts that are impacted to understand the gross exposure. You'll find definition of gross exposure in the whitepaper.
- Use your testing sample sizes (refer to the AICPA's sampling guide, appendix A) to determine if there is confidence level that you can factor in to arrive at a net exposure.
- Contemplate the compensating controls in your internal control system and think about the precision of the controls that operate independently upstream or downstream from the deficient control to qualitatively mitigate the exposure. Ascribe a factor to those controls and document your rationale to conclude the individual deficiency analysis.
- Having documented the rationale for your quantification of the potential error, you can easily add up the values across the like COSO elements, signficant accounts, or financial statement assertions to assess how items aggregate.
- Write a narrative to help the Prudent Official navigate your analysis, rationale, and conclusions.
In parting, let me also share one other thought prospectively for next year. In Stephen Covey's book "Seven Habits of Highly Effective People", Habit 2 articulates the virtues of beginning your endeavor with the end in mind. As you progress through your final mile of 2005's SOX 404 evaluation, think of what would make it better, easier, less harried next year. The fewer deficiencies left to evaluate the better. That is easy to say - but with that end in mind, you can work with all the consitutuents of your company to slowly change attitudes and behaviors. Emphasize more education, more monitoring, earlier testing, concerted efforts to remediate with a sense of urgency and proactive retesting. The effort will payoff for everyone involved.

0 Comments:
Post a Comment
<< Home