Controls Design for Efficient Compliance with Sarbanes-Oxley's Section 404

Lines of Defense

A common beginner's mistake is to imagine that internal controls meet control objectives (or risks if you prefer) one by one. The reality is quite different. Most controls address many risks, while most risks are met by several controls. I often think of layers of controls or lines of defense. Few controls are completely effective so multiple layers act like filters to cut down the risks in stages.

Audit documentation tends to understate this multilayered nature so it is important in controls design work to document designs so that the full system is visible.

Automated "Killer" Controls

Having said that control systems are multilayered, it still makes sense to pick out certain controls and try to make them the ones that get the most focus from auditors. These controls will usually be automated detective controls with a wide span that sit one on top of lots of other controls and prove they worked. Done correctly, these controls make testing others virtually pointless and so cut audit costs.

For example, the PCAOB's auditing standard 2 describes auditors checking that compiled software files on a live system have the same dates and sizes as the software vendor says they should have. What a tedious test, but surely one that can be scripted and done as often as desired. It would provide evidence that a range of controls over software change has operated effectively.

If company security policies for servers have been defined in terms of the specific parameters to be set, then these can be checked across many servers quickly and automatically. Other examples include overall reconciliations between accounts, files, or databases, and automated comparisons of details between files or databases.

Dynamic anomaly and pattern recognition software can be used to filter for new forms of error. The software uses statistical learning to identify typical record values, and their combinations, then searches for unusual transactions.

Measurement for Management

Every large scale, high volume business/accounting process should have an owning group that gets together regularly to study statistics about the health of the process, including its error rates, backlogs, volumes, speeds, IT support issues, and staffing. Their role should include systematically analyzing the causes of problems and taking actions to remove or reduce those causes.

This activity, and the supporting reports, improve control and provide easily accessed evidence that control checks have operated (otherwise numbers would be missing from the report) and that the control system is effective or not (which is what the numbers show). A well-designed process health report (what bankers call an operational risk KRI report) will show time series and use graphs to help people understand how things have unfolded over time.

Design for Inherent Reliability

In high volume, large scale business/accounting processes, the efficient approach is almost always to stop errors from happening in the first place. This requires design for inherent reliability.

This is not quite the same as using "preventive" controls. "Preventive" traditionally means controls performed before data is entered into a computer system. Many so-called preventive controls are checks for errors or fraud that have already occurred.

Increasing inherent reliability means making errors and fraud arise less frequently. Usually this is accomplished by good ergonomics, software bug removal, and control checks in supporting processes. People often omit ergonomic improvements but this is due to ignorance of ergonomics, not because the improvements are unimportant or hard to do.

Ultra low error rates that have been measured by high-powered automated checks, reported, and tracked, are extremely reassuring for everyone, including external auditors.

Looking to the Future

Things change and controls get out-of-date unless they are adapted to meet new conditions and requirements. This process is itself a control to be designed, implemented, operated, assessed, and audited.

Faced with any form of planned or anticipated change or trend, the process should identify the main types of control mechanisms that are likely to need revision and direct the right kind of resources to do the work in adequate time. Remedial work cannot be completely eliminated because no controls design is perfect first time, and all need to be tuned in the light of experience. However, most companies today rely much too heavily on after-the-event audit work to tell them when controls work is needed.

Supervision and Compliance

Let's return, now, to supervision. The main design constraints from the PCAOB are simple:

• Someone other than the person who performs a control should look to see that it has been performed, and performed effectively.
• This should happen often enough to be useful and especially near the financial year-end.
• Evidence of this "testing" should be kept and brought into management's overall assessment of the effectiveness of internal control over financial reporting.

Let's imagine the underlying control is a set of five daily bank reconciliations performed by an accounts clerk. Currently paper copies of these are all initialed by the assistant head of treasury, and that's it.

From a control point of view, this is disappointing because potential information from the control check is not being picked up or passed on. The opportunity to identify process and system flaws and remove them is being missed. We have no visibility of process health. We also have little idea how thorough the assistant's review is before the initials are scribbled on the paper.

From a compliance point of view, this is also a missed opportunity because the assurance goes no further than the Assistant. There is little alternative but for auditors to test the Assistant and the clerk in some detail.

What can we change? Here are some suggestions.

• Revise the layout and descriptions of the reconciliations to improve clarity. (For some reason, most reconciliations are unnecessarily baffling, so when the work is eventually passed to another clerk, there is a risk of error.)
• Classify reconciling items into "normal" versus various grades of problem including bank error, our error, unidentified item, and so on.
• Require the clerk to record the numbers of each item type and to report verbally or in writing on new types of problem and their apparent causes (and even possible preventive measures).
• Reconciliation results are captured in the system used to process health reporting, along with the assistant's review—probably a confirmation and some remarks about issues uncovered. (This is copied into management's assessment of internal control for compliance purposes.)
• Require that once a week the assistant sit with the clerk to study the reconciliations in more than usual detail and understand any problems arising in their completion. Ideally this will not be the same day each week.
• Require the assistant to report the problem grade stats regularly to the boss, the treasurer, who reports them on (in a cut down form along with other stats covering other activities) to their boss, the chief accountant, who pulls them into an overall review and assessment monthly for the CFO's internal controls committee.
• The stats and notable problems to the process health are reported to the team meeting via the end-to-end process health monitoring report.
• Require that at every level in this organization pyramid there are occasional coaching meetings where the effectiveness of routine control activities (including supervisory activities) is tested and assessed.

Now we have a pyramid of supervision helped by central capture of evidence, and suffused with process health information.

Treat People Like People

Traditional internal control theory sees no problem in treating every employee as if they are work-shy, dishonest, incompetent, or all three. While a very few employees are like this, most are not and feel distrusted and insulted by their employer unless treated with more respect. This is a fundamental problem for internal controls design and not one we can shrug off, saying "Well, we've just got to do this because it's the law."

Some helpful tactics are as follows:

• Restrict this kind of supervision to activities that require high reliability. Don't apply it to everything.
• Focus on the error prevention motives when promoting the procedures. Don't go on about fraud, but do design against it. People should be motivated to comply with anti-fraud controls because most are designed to put honest employees above suspicion.
• Talk about quality rather than control. Most people prefer it, and some companies have a strong cultural preference for this language.
• Make sure that the employee is being asked for their contribution to building a better company and improving their job. An unhealthy conversation is one where the supervisor simply demands confirmation that work has been completed with no outstanding problems. A healthy conversation is one where the supervisor asks to be shown what has been done and what has been learned by it, including lessons about systems and procedures, the impact of behavior in other departments, and so on. In a healthy conversation, the employee feels a valued contributor, yet the meaningful exchange that results is much harder for a cheating employee to fake.

Summary

Well-designed internal controls can lighten the regulatory burden, reduce errors and fraud, and still leave people feeling like people. The PCAOB has opened the door to more enlightened compliance, and I urge all companies to take the opportunity offered.