Blackbelt 404.

Q: According to Alan Greenspan, what do Alan Greenspan and the Sarbanes-Oxley Act have in common?

A: The time has past for both to call it quits.

The Boston Herald reports:

Former Federal Reserve Chairman Alan Greenspan told a Boston business audience last night that most of the Sarbanes-Oxley corporate governance rules enacted in 2002 had become a "nightmare" and should be scrapped as soon as possible.

Greenspan, who in his 18 years running the Fed earned a reputation for speaking cautiously, raised eyebrows with several unusually frank remarks in an hourlong discussion in front of 800 members of the Mass. Technology Leadership Council.

The legendary former Fed chief said the Sarbanes-Oxley regulations hampered business, discouraged risk-taking and were driving foreign companies to shun the New York Stock Exchange for the lighter rules in London.

The only part he praised was the rule that chief executives had to certify their companies' accounts personally.

"The rest we could do without," he said.

Right, except Greenspan does not tell us how in the world chief executives would be able to personally certify that their accounts are accurate without the rest of SOX. Everyone agrees SOX has to be revamped, but to expect chief officers to be personally responsible for the financials of their institutions without anything to back their signature up is not sensible or productive.

Christopher Cox, SEC Chairman, testified to the Committee on Financial Services, US House of Representatives, re: fixing Sarbanes-Oxley. See what he said here.

Mexican billionaire, Ricardo Salinas Pliego, allegedly bought the discounted debt of one of his outside holdings, and then sold it back to the company at face value, pocketing close to $109 million in the process for himself and a partner. He reached a settlement with the SEC last week in the first lawsuit against a foreign company under the rules of the Sarbanes-Oxley Act. Here's the story.

Today, September 18th, is the deadline for submitting comments to SEC's Concept Release on Management Reporting under Section 404.

Check out the comments of others, filed here.

The IIA's release to the SEC (paragraph 15; see also 19) describes an approach used by Internal Control practitioners (good phrase - I think I'll call myself that from now on), which they suggest the SEC might consider:

this requires obtaining an understanding of the risks and then selecting the most effective combination of controls to provide reasonable assurance etc.

This statement can be misleading. "The most" effective controls are not necessary; effective controls are. The only two grades you can get for 404: P or F. There are no A's B's or C's. If your controls are effective, you've complied.

External auditors have been citing instances where, even though the controls are effective, they "would like to see" additional or "different" controls, because they are "even more effective" than the ones in place. This is not correct. Especially since, the IIA mentions in their release (para. 32),

a reasonable level of internal control assurance should take into account the
cost of providing that control.

It may therefore be reasonable for management, under various circumstances, to forgo having the "best" controls, in favor of less expensive, but acceptable ones. But in any case, as long as a combination of controls reduces the risk of financial statement to below the required level, 404 has been fulfilled. Having the "most effective" controls is not only not a requirement, it is not even recognized.

At the Roundtable discussion on second-year experiences with SOX that was held this past May in Washington DC, I heard Phillip Ameen, VP and Comptroller of General Electric, state that his company spent $33 million on SOX compliance last year, and identified 38,000 significant controls.

That's about $868.42 per control.

The IIA thinks we can improve SOX by shifting its focus from control activity to the root causes of public failures:

The current approach does not address the root causes and therefore does not provide assurance to investors that the SEC and Congress desire.

As a critical first step, we suggest that SEC Staff perform an assessment of risk related to materially misstated financials, with particular reference to those incidents (companies many of which have become household names) that led to significant investor losses. The root causes should be
identified. We believe that such an assessment will identify more issues
existed within the COSO Controls Environment layer, with little risk within
Control Activities. This assessment of root causes should determine
what the Commission should require both of management and their auditors.

I kinda side with the SEC on this. Legal requirements can force a company to segregate duties, but it cannot force a change in attitude (although it can nudge it a bit). "Tone at the Top" can be feigned, executive T&E can be to-the-penny perfect, executive management can be hands-on involved in all control areas, and fraud can still be pervasive. I believe governance standards should be implemented, but they are too unquantifiable and too easily flouted to play the cornerstone of confidence that SOX is designed to provide. Better, I think, to focus on controls whose effectiveness is more measurable.

There is merit in assessing the Controls Environment prior to other layers of COSO, as it can help assess risk at the significant account, process, and key control levels. In addition, this layer has been where the root causes were for
most of the public failures (e.g. WorldCom, Enron, etc). - Paragraph 15

The problem with this is that fraud tends to gravitate to the path of least resistance. Therefore, even if an assessment of root causes "will identify more issues existed within the COSO Controls Environment layer," that is likely to be the case only until internal control requirements are implemented within the Controls Environment. Then, watch how more fraud issues will crop up within Control Activities.

So while it is true that sufficient attention must be given to root causes of the past, it is not prudent that "this assessment should determine" requirements for management and auditors, although it should be one critical factor in that determination.

The IIA's comments to the SEC several times brings up the issue of how to treat ITGC in relation to financial controls.

In paragraph 19-d:

It may be possible to identify a combination of ... Increased or reduced
reliance on key ITGC controls, depending on risk and the presence of other
controls.

In paragraph 29:

In the absence of current guidance that enables an identification of specific risks, many organizations are performing full ITGC testing on all applications involved in financial processes. As we indicated in our response to the recent Roundtable, we believe that has led to excessive testing and resource costs among both registrants and their auditors.

In paragraph 34:

Furthermore, as information technology supports the underlying business process, risk and control assessment should be focused first from the specific of that business process. Separate and distinct information technology standards may confuse that point.

The treatment of ITC as a realm apart from financial controls is a wasteful distraction from 404 objectives, and a misapplied byproduct of financial statement audit theory. For 404, any set of controls that mitigate the financial statement risks - i.e. that safeguard the assertions - is sufficient. The classifying of certain controls as IT and others as financial and the resultant differential treatment they receive is counterproductive and highly inefficient. While I recognize that certain ITGC cannot be compensated for by financial controls (such as program change controls), there is no reason to treat these critical IT controls any differently than critical financial controls. The wall between ITC and FC should fall, and both types of controls should be directed toward the objective of mitigating risks to the financial assertions. If there is any reason to classify ITGC separately from FC, it is in the same sense that we classify preventive controls separately from detective controls, or automated controls form manual controls. A good combination of both is desired - and perhaps even needed - but the testing guidelines and identification of key controls should be one exercise that includes both categories. Just as preventive and detective controls are consolidated to form a single set of controls that are designated by management to mitigate the financial risks, so too should ITGC and FC be integrated as well.

So to my external auditors, and my friends in the IT department: Please don't ever start a sentence with the words "But from an IT perspective..." There is no IT perspective in 404. The objective is to prevent financial misstatement. To the extent that ITGC accomplishes that, they are needed, just like any other financial control. Beyond that, they don't matter.

On July 18th, the SEC published their Concept Release on Section 404 Guidance, where they asked for comments to help shape their forthcoming 404 guidance. The IIA replied. In general, I thought their response was excellent. They even had a few zingers in there, but you'll have to read all the way to the last page if you want to see the best one:

SEC: How might guidance be helpful in addressing the flexibility and cost
containment needs of smaller companies?

IIA: The question appears to recognize that a reasonable level of internal
control assurance should take into account the cost of providing that control
... Unfortunately, cost is not a consideration in today's guidance and we
welcome a contribution in this area by the SEC.

Hehe.

The IIA's most salient points include:

1. We need clarification in several areas, so that we not continue to be - quote - "forced ... to back into what is expected from ... external auditors who are in turn interpreting (inconsistently and perhaps not always accurately) PCAOB guidance." Well said.
2. The PCAOB keeps using phrases such as "reasonable assurance", "reasonable likelihood" "remote likelihood," and "inconsequential", which are neither objective nor consistently interpreted. And - this is an exact quote - "reasonably possible or reasonably likely [are] not plain English."
3. SEC should identify and address the root causes of the major financial scandals that triggered SOX, in other words, issues within the COSO controls Environment layer, as opposed to the current approach, which focuses primarily on risks within the Control Activities.
4. The term "Key", as in "key control," needs to be understood in the same way by both management and the external auditor. (I don't understand why this is still an issue. See here).
5. Especially regarding ITGC, the definition of a "key" control must be more clearly understood.
6. The definition of "material", as in "material misstatement," must be more clearly defined.
7. The judgment of a reasonable investor should be used, instead of the current criterion, which is the judgment of a reasonable official.
8. Controls aren't omnipotent. Even if they are effective, errors and even fraud can occur, albeit with the odds of such occurrences greatly reduced. Therefore, if a company has to restate their financials, it does not necessarily mean - nor is it necessarily even a "strong indicator"- that the internal controls were broken. Especially when the external auditors reviewed those controls and found them effective.
9. We need guidelines for testing automated controls.
10. The requirement that tests must be performed during the year is a hold-over from financial statement auditing theory and makes no sense in context of 404. A control that is tested effective a few days after year end is more likely to have been in place than a control that was tested to be effective 2 months prior to year end.

There were also points that I disagree with. I'll discuss them in the next few posts.

Let me be clear: our external auditors (who are reading this) are not obsessed with evidence of review. But my friend Eli, an audit manager at a great metropolitan newspaper, says hers are.

If your external auditors are like Eli's, fret not. Lack of evidence of review is not a control deficiency, since evidence of review is not a control. In order for something to qualify as a control, it has to mitigate a risk. "Evidence of review" mitigates nothing. The review is the control. Evidence of the review is only proof that the control was done. It's like a test, in a way, but it's not part a control.

And there is no statute of limitations that demands the evidence of a control be in place within a certain amount of time after the control was performed. So if your bank rec, for instance was reviewed on January 10th, the signoff for that bank rec can be done any time in the future.

Therefore, if your year end is rapidly approaching - or has even passed - and your external auditors note that you have no evidence of review, just ask your reviewer to sign off right then and there. If he actually did the review but previously did not sign it, then the control - i.e. the review - was effective at the point in time it was designed to be, but the reviewer neglected to document it. And documentation does not have to be done at the same time as the control.

The IIA defines a Key Control here:

"A key control is a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be detected on a timely basis." (page 29)

They also provide signs that are "highly persuasive" that a control is key:

1. Operating management considers it key
2. Common sense indicates it is a key control
3. The control addresses an assertion or risk that is not addressed by other
   controls
4. It directly addresses a section in the Sarbanes-Oxley legislation
   etc.
5. It describes a key role in monitoring the effectiveness of controls across
   the entity
6. The external auditor considers the control as key
   

They say, should a control that has one or more of those signs still not cause more than a remote likelihood of a financial misstatement if it fails, "management should consult with the external auditor to reach agreement that they are not key".

I have only respect for the IIA but I don't know what this is about. If a Key Control is a control without which there is an reasonable risk of financial misstatement, then a control that is not needed to prevent financial misstatement is not key. What exactly is there to discuss?

One of my external auditors must read this IIA literature when nobody's looking. Cuz I have these "discussions" with him all the time. They usually go something like this:

External Auditor: You missed a key control.

Me: But it doesn't affect our financials. Even without your so-called "key" control, we have other controls that would prevent or detect all reasonably possible financial statement risks associated with the process in question.

External Auditor: So what? But it's key!

Me: Um, no it's not. How can it be key if it doesn't meet the definition of Key, which is that it is needed to protect the financials from misstatement?

External Auditor: But operating management considers it key!

Me: Operating management didn't read AS-2. Had they, they'd know the definition of a Key Control. As it is, they're just talking out of their hats.

External Auditor: But common sense indicates it's key!

Me: Um, Common sense indicates that if a control doesn't fit the definition of Key it isn't Key.

(The conversation usually goes downhill from there)

404 is about one thing only: Misstatement of financial statements.

Not safeguarding of assets.

Not efficiency and effectiveness of operations.

If the financial statements are reasonably protected from misstatement, nothing else matters -- your Key Controls are effective and you've passed 404. And the combination of controls that accomplished that - they are your Key Controls. Even if management, your external auditors, and common sense all consider other controls "key".

404 is about preventing financial misstatements; not about the opinion of management, external auditors, nor even - sigh - common sense.