FinexGroup Leadership. Execution. Training.

Solutions for Finance Challenges

Evaluation of Internal Controls Over Financial Reporting (“ICFR”)

By Massood Oroomchi and Alec Moore
Founding Partners of the FinEx Group

Finex Group

January 22, 2007

Having certified the design of the ICFR as at December 31, 2006, most Canadian companies are now moving to the next and final phase of the CEO/CFO Certification requirements - evaluating the operating effectiveness of the ICFR. Management should assess whether its controls are designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (“GAAP”). In order to maximize the effectiveness and efficiency in executing the evaluation program, the following “Top-Down, Risk-Based” evaluation methodology should be deployed:

As illustrated in the following chart, for the evaluation of ICFR, the following steps should be taken:

  • Perform an evaluation of the Governance, Entity Level and Disclosure Controls. Merge the evaluation of IT Entity Level Controls with the evaluation of other Entity Level Controls.
  • Apply a risk based approach to the evaluation of Transaction Level Controls and factor in the results of the evaluation of the Corporate Level controls as described above.
  • Perform an evaluation of IT General Computer Controls.
  • Evaluate IT Application Controls only if identified as key controls and factor in the results of the evaluation of IT General Computer Controls.
  • Identify and report significant deficiencies to the Audit Committee and Material Weaknesses to the Shareholders if not remediated by the end of fiscal year.

Diagram: Internal Control Over Financial Reporting Top-Down, Risk-Based Evaluation Methodology

In December 2006, the SEC issued a proposed interpretive guidance (“SEC Guidelines”) for management evaluation of ICFR, with comments due from the public by February 27, 2007. Prior to the issuance of these guidelines, the only guideline available for ICFR evaluation was the PCAOB Auditing Standards No. 2 which was intended to be used as an auditing standard as opposed to management guidelines. No announcements have been made by the Canadian regulators with respect to their intention of adopting such guidelines in Canada for Bill 198 compliance requirements. However, most likely, the Canadian Securities Administrators will either adopt or propose similar guidelines in Canada.

The recent SEC Guidelines are non-prescriptive, principles/judgement-based, focused on risk and materiality, and set forth an approach by which management can conduct a top-down, risk-based evaluation of ICFR. The SEC is proposing a rule that would confirm that if the proposed guidelines are adopted by the companies in their evaluation process they would be in compliance with the SOX 404 requirements. However, the adoption of these guidelines is not mandatory as long as the evaluation procedures deployed by the companies meet the SOX 404 requirements.

The Top-Down, Risk-Based approach illustrated in page two is in complete alignment with the recent SEC Guidelines. The SEC Guidelines state that:

“The objective of the evaluation of ICFR is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year. To meet this objective, management identifies the risks to reliable financial reporting, evaluates whether the design of the controls which address those risks is such that there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner, and evaluates evidence about the operation of the controls included in the evaluation based on its assessment of risk.”

The SEC Guidelines propose the following steps in the evaluation process:

  • Management should use its knowledge and understanding of the business, its organization, operations, and processes to consider the sources and potential likelihood of misstatements in financial reporting elements and to identify those that could result in a material misstatement to the financial statements (“Financial Reporting Risks”).
  • Management should evaluate whether it has controls placed in operation (i.e., in use) that are designed to address the company’s financial reporting risks (“key controls”).
  • Management should perform an assessment of the risk that the key controls may fail to operate as designed (“Control Risks”).
  • Management should perform an evaluation of the operating effectiveness of the key controls. The evaluation procedures that management uses to gather evidence about the effective operation of ICFR and the nature of evidence required should be tailored to its assessment of both Financial Reporting Risks and Control Risks (collectively, ICFR Risk).  The higher the misstatement risk of financial reporting element and the higher the risk of related control failure, the more quantitative and qualitative evidence would be required in the evaluation process.

The following timeline would provide support for the Top-Down, Risk-Based evaluation approach described above:

Fiscal 2007 Quarters Evaluation Process

First Quarter

Test and Evaluate Governance, Entity Level, Disclosure and Information Technology General Computer Controls

Second Quarter

Test and Evaluate Transaction Level Controls

Third Quarter

Remediate any significant control deficiencies identified in the first two quarters

Fourth Quarter

Perform roll over test in areas with high ICFR Risk and retest the remediated controls

The attached appendix provides a high level Q&A on the recent SEC Guidelines and their impact on the management evaluation process. Click here for a technical overview of the proposed SEC Guidelines.

APPENDIX
Q&A BASED ON PROPOSED SEC GUIDELINES

  1. Q: Does management have to refer to any auditing standards such as the PCAOB No. 2 or any revisions thereto in designing its ICFR evaluation program?

    A: No. The Proposed SEC Guidelines make it clear that management’s evaluation of ICFR is to be conducted without the need to consult any auditing standards.

  2. Q: As a CFO of a public Company, what should I be doing to get ready for the next steps for compliance in 2007?

    A: Assuming that the Company has already designed its internal control framework, the next step will be to evaluate whether the controls are operating effectively. Based on what is in the public domain today and looking at what is likely to come down the compliance road this year, our advice is to follow the timetable shown on page three of this memorandum.

  3. Q: How do the Proposed SEC Guidelines benefit smaller firms?

    A: While the guidance is intended to help public companies of all sizes, smaller companies should particularly benefit from its scalability and flexibility.

  4. Q: How do the Proposed SEC Guidelines assist companies in reducing the scope of ICFR evaluation process?

    A: The proposed guidance describes a risk-based approach that would require the use of judgment to determine the areas that are both material and which pose a risk to reliable financial reporting. Management then would identify the controls that address those risks, including the risk of material misstatement due to fraud.  Once those controls are identified that adequately address the risk of material misstatement in the financial statements, it would be unnecessary to include additional controls within management's evaluation.

  5. Q: Can strong Entity Level Controls assist in determining the level of evidence required to sufficiently support management’s assessment of controls?

    A: Yes. Management’s assessment of ICFR risk also considers the impact of entity level controls, such as the relative strengths and weaknesses of the control environment, which may influence management’s judgment about the risks of failure for particular controls. The existence of entity level controls may influence management’s determination of the evidence needed to sufficiently support its assessment. For example, management’s judgment about the likelihood that a control fails to operate effectively may be influenced by a highly effective control environment and thereby impact the evidence evaluated for that control. However, a strong control environment would not eliminate the need for evaluation procedures that consider the effective operation of the control in some manner.

  6. Q: How do the Proposed SEC Guidelines assist in optimizing a company’s evaluation process through first focusing on the entity level controls?

    This is a significant element of the proposed guidelines to assist companies in reducing the efforts and costs of evaluating controls. Basically, if management determines that the risks for a particular financial reporting element are adequately addressed by an entity level control, then no further evaluation of other related controls is required. That is, evaluations currently being considered at the transaction level may be covered by the entity level control evaluation and may therefore not be required.

  7. Q: Should the process controls be documented in a certain way and should the documentation cover all controls within the same process?

    A: No. The form and extent of the documentation of the design of controls will vary depending on the size, nature, and complexity of the company. It can take many forms (e.g., paper documents, electronic, or other media) and it can be presented in a number of ways (e.g., policy manuals, process models, flowcharts, job descriptions, documents, internal memorandums, forms, etc). The documentation does not need to include all controls that exist within a process that impacts financial reporting. Rather, and more importantly, the documentation can be focused on those controls that management concludes are adequate to address the financial reporting risks. Management should also document its entity level and other pervasive elements of its ICFR that it believes address the control elements that its chosen control framework, such as COSO, prescribes as necessary for an effective system of internal controls.

  8. Q:Do the Proposed SEC Guidelines provide management with guidance on optimizing the efforts on gathering evidence for evaluating controls?

    A: Yes. The SEC Guidelines allow management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to reliable financial reporting (i.e., whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as daily interaction with business activities, self-assessments and other on-going monitoring activities, in low-risk areas and perform more extensive and direct testing covering a reasonable period of time in high-risk areas. This guidance should substantially reduce the potential incremental workload caused by the evaluation process.

  9. Q: Should the evaluation of controls be separated from the daily business activities?

    A: No. The evaluation procedures may be integrated with the daily responsibilities of the company’s employees or implemented specifically for purposes of the ICFR evaluation.

  10. Q: How can a company leverage its day-to-day monitoring activities  in the evaluation of ICFR?

    A: On-going monitoring includes day-to-day activities that provide information about the operation of controls and may be obtained, for example, through internal audit processes, regular management and supervisory review activities, self-assessment procedures, and the analysis of performance measures designed to track the operation of controls. Management’s evaluation process may consider the results of key performance indicators (“KPI’s”) in which management reconciles operating and financial information with its knowledge of the business. These KPI’s may indicate a potential misstatement in a financial reporting element and therefore are relevant to meeting the objectives of ICFR.

  11. Q: How much flexibility is there in gathering reasonable support for the evaluation procedures?

    A: The result of risk assessments can assist management in determining the evaluation procedures that provide reasonable support for the assessment. As the assessed risk increases, management will ordinarily adjust the nature of the evidence that is obtained. For example, management can vary the nature of evidence from on-going monitoring by adjusting the extent of validation through periodic direct testing of the underlying controls and/or adjusting the objectivity of those performing the self-assessments. Management can also vary the nature of evidence obtained by adjusting the period of time covered by direct testing. When ICFR risk is assessed as high, management’s evaluation would ordinarily include evidence obtained from direct testing. Further, management’s evaluation would ordinarily consider evidence from a reasonable period of time during the year, including the fiscal year-end. For lower risk areas, management may conclude that evidence from on-going monitoring is sufficient and that no direct testing is required.

  12. Q: What should be the nature and extent of evidentiary matter required in support of the control evaluation?

    A: The proposed guidance explains the nature and extent of evidential matter that management must maintain in order to provide reasonable support to its evaluation of operating effectiveness of controls including how management has flexibility in approaches to documentation. The proposed guidance indicates that such documentation can take many forms, can be presented in a number of ways, and does not need to include all controls within a process that impacts financial reporting. The proposed guidance provides that the evidential matter maintained in support of the assessment would also include the methods and procedures it utilizes to gather and evaluate evidence and the basis for its conclusions about the controls related to individual financial reporting elements. The proposed guidance indicates that in those situations in which management is able to rely on its daily interaction with its controls as a basis for its assessment, management may have limited documentation created specifically for the evaluation beyond documentation regarding how its interaction provided it with sufficient evidence.

  13. Q: Do the proposed SEC Guidelines modify the internal control frameworks such as COSO?

    A: No. The Commission distinguishes between the COSO framework as a definition of what constitutes an effective system of internal control and SEC Guidelines on how to evaluate ICFR. The SEC Guidelines are not intended to replace or modify the COSO framework or any other suitable framework.

  14. Q: Should management continue with its evaluation of entity level controls as required by internal control frameworks such as COSO?

    A: Yes. Under the Commission’s rules, management’s annual assessment must be made in accordance with a suitable control framework’s definition of effective internal control (such as COSO’s Internal Control Framework). These control frameworks define elements of internal control that are expected to be present and functioning in an effective internal control system. In assessing effectiveness, management evaluates whether its ICFR includes policies, procedures and activities that address all of the elements of internal control that the applicable control framework describes as necessary for an internal control system to be effective. Therefore, management’s evaluation process includes not only controls involving particular areas of financial reporting, but also the entity-wide and other pervasive elements of internal control that are defined by the control frameworks. Furthermore, management ordinarily would consider the company’s entity level controls in both its assessment of risk and in identifying which controls adequately address the risk.

  15. Q: Should management evaluate all redundant controls relating to a particular financial reporting risk?

    A: No. When more than one control exists that individually addresses a particular risk (i.e., redundant controls), management may decide to select the control for which evidence of operating effectiveness can be obtained more efficiently.

  16. Q: Can a company leverage strong IT General Computer Controls in the evaluation of the ICFR?

    A: Yes. While general IT controls ordinarily do not directly prevent or detect material misstatements in the financial statements, the proper and consistent operation of automated or IT dependent controls depends upon effective general IT controls. Moreover, when adequate general information technology controls exist, and management has determined the operation of such controls is effective, management may determine that automated controls may be more efficient to evaluate than manual controls. Considering the efficiency with which the operation of a control can be evaluated will often enhance the overall efficiency of the evaluation process.

  17. Q: For control evaluation purposes, how can a company leverage its assessment of financial reporting risks in a situation where multiple locations and/or business units exist?

    A: Management’s consideration of financial reporting risks generally includes all of its locations or business units. However, management may determine when identifying financial reporting risks that some locations are so insignificant that no further evaluation procedures are needed. Furthermore, management may determine that financial reporting risks are adequately addressed by controls which operate centrally, in which case the evaluation approach is similar to that of a business with a single location or business unit. When the controls necessary to address financial reporting risks operate at more than one location or business unit, management would generally evaluate evidence of the operation of the controls at the individual locations or business units.

  18. Q: What should the scope and nature of ICFR evaluation be at each Business Unit?

    A: In situations where management determines that the ICFR risk of the controls that operate at individual locations or business units is low, management may determine that evidence gathered through self-assessment routines or other on-going monitoring activities, when combined with the evidence derived from a centralized control that monitors the results of operations at individual locations, may constitute sufficient evidence for the evaluation. In other situations, management may determine that, because of the complexity or judgment in the operation of the controls at the individual location, the risks of the controls are high, and therefore more evidence is needed about the effective operation of the controls at the location.

Massood Oroomchi and Alec Moore are the founding partners of FinEx Group providing leadership, execution and training for both public and private firms in Sarbanes-Oxley/Bill 198 compliance. For further information, please fill out our contact form or contact Massood Oroomchi at (519) 574-8691 or Alec Moore at (519) 580-3690.

Click here to return to the articles and links page.