Adding Significant Value with Internal Controls

By David R. Campbell, Mary Campbell, and Gary W. Adams

E-mail Story Print Story

This article provides a brief overview of the Committee of the Sponsoring Organizations of the Treadway Commission’s (COSO) model of internal controls used in many organizations as an implementation framework. It then outlines key measures of progress to a market leadership position, where real value is delivered beyond meeting compliance requirements. Last, lessons learned from the authors’ consulting work describe the key organizational success factors typically found in organizations that are at the leading edge of SOX compliance.

The Value Proposition for Internal Controls

The basic benefits of holding a market leadership position in internal controls include the following: increasingly effective operations, highly reliable financial reporting, and industry-leading compliance programs. Recently, the Institute of Internal Auditors’ (IIA) Research Foundation published a detailed report titled “Sarbanes-Oxley Section 404: Looking at the Benefits,” by Larry E. Rittenberg and Patricia K. Miller. This report highlighted significant additional benefits from control improvements brought about by section 404:

• It added structure in the year-end closing process and recording of journal entries, resulting in recognition of the additional complexity in these areas.
• It increased anti-fraud activities, including defined processes, which include responsibility for follow-up.
• It improved the documentation of controls and control processes evaluation.
• It improved the definition of controls across the organization, including the crucial relationship between these controls and risk.
• It spurred a return to the foundation of basic controls (e.g., segregation of duties, periodic reconciliation of accounts, and authorization processes) that had eroded as organizations downsized or consolidated operations in order to drive costs down and remain competitive.

Organizations derive additional value from their internal controls work, whether it is done for section 404 or for the stakeholders of a not-for-profit organization. In addition, the report found that market leaders can leverage the knowledge base built during the assessment process, documentation development, and the relationships defined across business processes to create measurable value across the entire organization. When this occurs, the true organizational return on investment in SOX compliance can be realized.

Two areas of particular value enhancement are business process improvement and risk management assessments. Combining business process improvement with SOX internal control efforts allows companies to benefit from reengineered business processes, resulting in fewer controls and better downstream business performance. The SEC’s recent emphasis on a more risk-based approach to the identification of key processes, key controls, and appropriate testing has many organizations focused on the broader value produced through enterprise risk management. Here the organization uses risk assessment as a strategy to boost its bottom line, much like cost containment.

Many companies without a chief risk officer or risk council are considering implementation of these concepts to deliver greater corporate value. Companies at the leading edge of discovering additional value in internal controls have developed techniques proven to drive more predictable revenue, minimize outstanding receivables, reduce operational costs, and even improve a company’s performance.

The COSO Internal Control Model

The COSO internal control framework was first introduced in 1992, and in 1994 a comprehensive four-section report on internal controls was issued, consisting of an executive summary, a framework, guidance to public companies on reporting on internal controls to third parties, and evaluation tools to help a company comprehensively assess its current control environment.

The COSO framework (Exhibit 1) is relevant to achieving company objectives in three areas:

• Operational goals: The framework relates to the effective and efficient usage of all of a company’s resources.
• Financial reporting goals: The construct gives guidance on the consistent production of reliable financial reports.
• Compliance goals: The guidance creates a topology of the company’s compliance requirements as they relate to industry regulations or legal requirements for public entities.

The right side of the cube in Exhibit 1 represents the organizational units and activities to which this framework is applied.

The COSO framework is the standard for internal controls guidance. The IIA Research Foundation indicated in a February 2003 report, “Internal Auditors’ Role in Corporate Governance,” that 63% of publicly held companies use the COSO framework of internal control.

Market Leadership

A market leader is distinct in the way top management views their leadership responsibilities. In many cases they see opportunity for improvement where others only see regulatory hurdles or bureaucratic necessities. Market leaders can leverage the COSO framework.

Control Environment

This element is the foundation of the COSO framework. It sets the overall tone of the organization with regard to the importance of internal controls. Ethical values, leadership resource allocation, staff competence at all levels, the dynamics of authority and responsibility within the organization, and management philosophy are all parts of this critical component.

In a sense, the control environment is the most difficult component to quantify, because much of it relates to the overall culture of the organization. But there are a number of clear goals that an organization can work toward to ensure that the framework rests on a foundation exemplifying market leadership.

Board and leadership involvement is the most crucial element in an organization seeking market leadership. As the board and leadership set expectations and measure progress against them, business units or department heads begin to assign internal controls the priority they require. The specific strategies that can be employed to move to a market-leader position within an industry include the following:

• Conveying the importance of ethical values by setting an example and “walking the talk.” This includes relating stories of integrity and ethical values through presentations, newsletter stories, and any other means of getting the message to everyone that these values are important to the organization. Public companies are now required to have a code of conduct for the board under the requirements laid out by SOX. Nonprofits and private companies can also benefit from a code of conduct. The organization cannot tolerate violations of this standard. There are financial benefits to this approach as well. One research study performed by the Institute of Business Ethics (“Does Business Ethics Pay?,” April 2003) found that companies displaying a clear commitment to ethical conduct consistently outperform companies that do not display ethical conduct.
• Developing clear organizational guidelines relating to responsibility and authority with accountability checks is another clear hallmark of an market leader. Within the organization, leadership typically follows a distributed model, with individuals understanding the overall organizational goals and how the goals of their department or business unit relate to them. Individuals should also understand their responsibilities and the limit of their authority to ensure that the goals of the organization are achieved. When a leadership culture like this is achieved, the whole organization is focused on organizational objectives and committed to the maintenance of the control structure. A guiding coalition of leadership members believing in the need for change is one of the first steps typically taken by organizations that successfully make culture shifts, but changes will take effect slowly and steadily over time.
• Embedding the internal control framework within the organizational culture. Management must clearly define roles and responsibilities for internal controls, including responsibility for the defining, documenting, testing, and monitoring of controls and the remediating of problems. The organization must incorporate these responsibilities into the responsible individuals’ performance management goals.
• The internal controls environment is no longer viewed as separate from the operating component of the business; controls are embedded in processes from the beginning. This approach lowers the risk of inadequate controls and ensures that the control structure is in place from the outset of a process’s planning and launch.
• Supporting human resources policies and practices that provide clear corporate career paths. Human resources management plays a key role in ensuring that individuals are hired with the needed financial competencies and that career growth supports an increased level of financial reporting competencies.

Risk Assessment

Leading companies take a risk-based approach to SOX internal controls compliance as a key step in achieving a correct balance between costs and benefits. Recent guidance from the Public Company Accounting Oversight Board (PCAOB) supports this approach with specific recommendations, including the use of a risk-based method to determine which key controls are tested each year. The PCAOB also recommends that the viability of a company’s business model is an important consideration when evaluating risks. Companies that focus on these larger problems and risks will better meet the needs of all their stakeholders, including investors and analysts.

Market leaders with respect to internal controls expand the risk focus started under internal compliance efforts to a broader venue. One popular concept that often precedes a mature enterprise risk management initiative is the formation of a risk council. This council is generally composed of management representatives from different areas of the business. Some of the early objectives of risk council meetings are as follows:

• Use of a common terminology for risk discussions throughout the organization;
• Definition of a risk framework or structure for fostering risk management across the organization;
• Characterization of the organization’s current risk capability as well as risk and performance indicators;
• Identification of the company’s current spending on risk; and
• Formulation of a plan to mitigate the operational risks of the organization.

If they do not already have a risk program, some companies take the risk management process even further with a more formalized, enterprise-wide program headed by a chief risk officer. Under this approach, the organization embeds risk identification and mitigation into its culture in the same way it adopted its internal control framework. The goal is to intertwine risk and business strategy with other organizational systems such as performance management.

Another important aspect to risk assessment is continuous monitoring of the internal and external environment in which the entity operates. This periodic scan of the operational environment can highlight upcoming events affecting both internal controls and risk strategy. Events such as systems change, mergers and acquisitions, loss of key personnel, and other events may require a closer look at existing controls and risk management.

Control Activities

Market leadership in the actual design of controls requires corporate-wide coordination and the involvement of ownership. Policies are set enterprise-wide, allowing an efficient implementation while avoiding duplicate efforts and definitions. Control design workshops or training can raise the knowledge and capability of management and staff to deal with defining, documenting, managing, testing, and reporting on internal controls. Global organizations have recently begun to roll these sessions out through online training sessions for foreign registrant compliance with SOX section 404. These modules can be used with more-experienced users to reinforce other objectives, such as a return to basic controls and an emphasis on continuous improvement. Leading organizations have moved to more-comprehensive training on basic accounting concepts, and in the process have improved the timing of their closing cycle, implemented process improvements, and reduced the error rate in accounting transactions.

Market leaders have focused controls on prevention rather than detection (see the Sidebar on types of controls). They have reengineered business processes, where needed, to incorporate prevention. Automating control checks by utilizing software features that can complete checks without any specific action is also beneficial. Internal auditing can help provide direction to business process owners searching for the best approach to use. Working closely with the board will help the internal audit function receive the company-wide exposure necessary for business process owners to recognize the value delivered to the organization. It will also make it more likely that business process owners will “buy in” to the process.

Leading-edge companies in internal controls implementation effectively utilize technology in several ways. First, they build in controls wherever cost-effective, because this one-time change activates a continual and long-lasting process of control testing. Automated control testing also brings about a quicker response time to potential problems and needed corrections.

Management can also utilize technology to support the documentation and testing components of their control activities. Numerous vendors (e.g., BWise, Methodware) provide customizable software to provide a consistent approach across the enterprise. The use of software to support these efforts is not limited to large companies, as many programs are scalable and affordable for small companies. These programs help ensure that the initial investment in documentation and testing is well maintained and that compliance efforts will be sustained into the future. They can also serve as a basis for higher-value initiatives downstream, such as business process improvement and more-comprehensive risk management activities.

Information and Communication

An open flow of information and ease of communication within an organization are essential with any new initiative. Experienced project managers are well versed in the communications needed to disperse information to stakeholders. They also have experience with change management, which can contribute to the timelier acceptance of new processes and the continuous improvement needed to excel. Experienced project managers will build measurements into the plans to assess success.

Leading companies foster open communication between internal auditors, management, and external auditors. The first year of SOX implementation for accelerated filers resulted in less than ideal communications with external auditors, according to the SEC April 2005 Roundtable on Internal Control Reporting Provisions. Recent recommendations from the SEC and the PCAOB have clarified expectations regarding external auditor communications, with the specific goal of improving the quality of testing, documentation, and remediation in the control environment, thus adding business value.

Information overload is prevalent throughout business. In the “information economy,” management is frequently overwhelmed by the quantity of data available, often resulting in a failure to convert important business information into knowledge to support their competitive advantage in the marketplace. Leading companies have recognized that effective reporting of exceptions and an “executive dashboard” approach are the best ways to focus attention on important information, and they can avoid placing management adrift in a sea of meaningless data from endless sources.

Monitoring

Control self-assessments (CSA) can play an important part in monitoring internal controls. CSAs place the responsibility for assurance that controls are in place and functioning with the business process owners, consigning ownership exactly where it belongs under the dynamics of typical organizational behavior.

Several questions from a CSA on a company’s accounts payable process are shown in Exhibit 2. The IIA website has numerous examples. Another CSA option is an interactive workshop, which uses a facilitator to draw out control information from management. This approach leaves control with management, allowing the organizational process owners to follow up downstream with surveys or questionnaires in subsequent periods, further refining the work product.

Monitoring efforts are best focused on leading indicators that allow time for correction, rather than lagging indicators that do not. The best reports for monitoring internal controls contain integrated information from both internal and external sources. Software packages can facilitate pulling together data from disparate systems and processes.
In many organizations, the internal auditors are responsible for conducting a formal review of internal control work. Such a review should be conducted annually and should take advantage of “lessons learned” from SOX activities, as well as input from the external auditor.

Key Success Factors

Success requires more than simply creating a checklist in each of the control components. There are a number of differentiating factors, consistent across industries and firms of various sizes, that are responsible for the success of market-leading companies.

Change management. To become a market leader, an organization’s people must often change the way they approach their responsibilities. Change occurs because employee stakeholders see the benefit, buy in to the concept, and therefore effect change.

One of the most successful techniques for achieving this goal is the creation of a guiding coalition or leadership group responsible as internal champions for the changes required in the current environment. The authors have found that designating a well-respected individual with good project-management skills as the champion for the effort ensures achieving a leading practice state.

Finally, communications and training throughout the organization at every level are key components of success:

• Ask process owners in areas with material weaknesses or significant deficiencies to report to the audit committee on these issues along with the remediation plan the owner has committed to implement. (See the Sidebar for a definition of “material weakness” and “significant deficiency.”)
• Distribute, on a regularized basis, communications from internal audit or other responsible groups on techniques and tools to support the effort.
• Conduct training to support business owners when completing the CSAs and testing.
• Issue progress reports from the leadership throughout the process on the benefits obtained from efforts to date and the desired goals to continuously improve the process.

Continuous improvement. Companies that strive for market leadership in everything they do will want to go beyond minimum compliance requirements when addressing the SOX internal control assessment and reporting process. They are constantly looking to improve and leverage additional value from what they have accomplished to date. Such companies are more inclined to pursue continuous improvement in achieving their business strategy.

Drive to value. A drive to value means thinking creatively and continuously about what has been accomplished to date to further leverage competitive advantage for the organization. Although SOX section 404 compliance does not require the reengineering of business processes, the knowledge gained from internal control assessment will likely uncover opportunities for business process improvement to create value. For example, a control that costs thousands of dollars to implement in a company’s supply chain system may uncover inventory inefficiencies that process owners can reengineer to save millions. Finally, market leaders expand their risk focus from initial SOX tasks to a much broader scope and view the task not as within a single department or division, but rather as an enterprise-wide initiative of cost containment or revenue enhancement.

Beyond Compliance

If public companies, not-for-profits, and private companies are to truly realize the significant investments made due to SOX, they must move beyond basic compliance and emphasize an even better system of internal controls that will promise to:

• drive attainment of strategic business objectives,
• prevent fraud,
• target and mitigate risk, and
• help design business process improvements to better integrate enterprise-wide process with systems.