Review of Control Environment
8 Is disciplinary action sufficiently taken and communicated in
Committee of the Sponsoring Organizations (COSO) in their
publication
Internal Control—Integrated Framework
The control environment sets the tone of an organization
influencing the control consciousness of its people. It is the
foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values and competence of the entity’s people;
management’s philosophy and operating style; the way
management assigns authority and responsibility, and organizes
and develops its people; and the attention and direction provided
by the board of directors.)
CONTROL OBJECTIVES FOR A REVIEW OF THE CONTROL
ENVIRONMENT
1. To ensure that management conveys the message that
integrity, ethical values and commitment to competence cannot
be compromised, and that employees receive and understand
that message.
2. To ensure that management continually demonstrates, by word
and action, commitment to high ethical and competence
standards.
RISK AND CONTROL ISSUES FOR A REVIEW
OF THE CONTROL ENVIRONMENT
Key Issues
1.1 Are there in place satisfactory Codes of Conduct and other
policies which define acceptable business practice, conflicts of
interest and expected standards of integrity and ethical
behaviour?
1.2 Do management (from the top of the business downwards to
all levels) clearly conduct business on a high ethical plane, and are
departures appropriately remedied?
1.3 Is the philosophy and operating style of management
consistent with the highest ethical standards?
1.4 Do the human resource policies of the business adequately
reinforce its commitment to high standards of business integrity,
ethics and competence?
1.5 Has the level of competence needed been specified for
particular jobs, and does evidence exist to indicate that employees
have the requisite knowledge and skills?
1.6 Are the board and its committees sufficiently informed and
independent of management such that necessary, even if difficult
and probing, questions can be explored effectively?
1.7 Is the organisation structure such that (a) all fully understand
their responsibilities and authorities, and (b) the enterprise’s
activities can be adequately monitored?
2 Detailed Issues
2.1 Are Codes of Conduct comprehensive, addressing conflicts of
interest, illegal or other improper payments, anti-competitive
guidelines and insider trading?
2.2 Are Codes of Conduct understood by and periodically
subscribed to by all employees?
2.3 Do senior managers frequently visit outlying locations for
which they are responsible?
2.4 Is it the impression that employees feel peer pressure “to do
the right thing”?
2.5 Is there sufficient evidence that management moves carefully
in assessing potential benefits of ventures?
2.6 Does management adequately deal with signs that problems
exist (e.g. hazardous by-products) even when the cost of
identification and remedy could be high?
2.7 Are sufficient efforts made to deal honestly and fairly with
business partners (e.g. employees, suppliers, etc.)?
2.
the case of violations?
2.9 Is management override of controls appropriate when it
occurs, and sufficiently authorised, documented and explained?
2.10 Are there job descriptions (which adequately define key
managers’ responsibilities) and performance appraisals with
follow-up action to remedy deficiencies?
2.11 Is management and staff turnover reasonable, i.e. not
excessive?
2.12 Are staffing levels adequate but not excessive?
2.13 Do staff recruitment procedures sufficiently enhance the
enterprise’s commitment to high standards of integrity, ethics and
competence?
2.14 Do training programmes sufficiently enhance the enterprise’s
commitment to high standards of integrity, ethics and
competence?
2.15 Do sufficient lines of communication exist to obviate the
temptation of “whistleblowing”?
FRAUD
Fraud is an intentional, deceitful act for gain with concealment.
it is more than theft
We may classify fraud as:
• management fraud, for instance fraudulent financial reporting
• employee fraud
• outsider fraud
• collusive fraud.
Pressure-Opportunity-Justification/Rationalization-fraud risk
factor
Reviewing Internal Control over Financial Reporting
SECTION 404. MANAGEMENT ASSESSMENT OF INTERNAL
CONTROLS
(a) RULES REQUIRED.—The Commission shall prescribe rules
requiring each annual report required by section 13(a) or 15(d) of
the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)) to
contain an internal control report, which shall—
(1) state the responsibility of management for establishing and
maintaining an adequate internal control structure and
procedures for financial reporting; and
(2) contain an assessment as of the end of the most recent fiscal
year of the issuer, of the effectiveness of the internal control
structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With
respect to the internal control assessment required by
subsection (a), each registered public accounting firm that
prepares or issues the audit report for the issuer shall attest to,
and report on, the assessment made by the management of the
issuer. An attestation made under this subsection shall be made
in accordance with standards for attestation engagements issued
or adopted by the Board. Any such attestation shall not be the
subject of a separate engagement.
SECTION 302. CORPORATE RESPONSIBILITY FOR FINANCIAL
REPORTS
(a) REGULATIONS REQUIRED.—The Commission shall, by rule,
require for each company filing periodic reports under section
13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C.
78m, 78o(d)), that the principal executive officer or officers and
the principal financial officer or officers, or persons performing
similar functions, certify in each annual or quarterly report filed
or submitted under either such section of such Act that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain
any untrue statement of a material fact or omit to state a
material fact necessary in order to make the statements made,
in light of the circumstances under which such statements were
made, not misleading;
(3) based on such officer’s knowledge, the financial statements,
and other financial
information included in the report, fairly present in all material
respects the financial
condition and results of operations of the issuer as of, and for,
the period presented in the report;
(4) The signing officers—
(A) are responsible for establishing and maintaining
internal controls;
(B) have designed such internal controls to ensure that
material information relating to the issuer and its consolidated
subsidiaries is made known to such officers by others within
those entities, particularly during the period in which the
periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s
internal controls as of a date within 90 days prior to the report;
and
(D) have presented in the report their conclusions
about the effectiveness of their internal controls based on their
evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and
the audit committee of the board of directors (or persons
fulfilling the equivalent function)—
(A) all significant deficiencies in the design or operation
of internal controls which could adversely affect the issuer’s
ability to record, process, summarize, and report financial data
and have identified for the issuer’s auditors any material
weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves
management or other employees who have a
significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or
not there are any significant changes in internal controls or in
other factors that could significantly affect internal controls
subsequent to the date of their evaluation, including any
corrective actions with regard to significant deficiencies and
material weaknesses.
SECTION 906. CORPORATE RESPONSIBILITY
FOR FINANCIAL REPORTS.
(a) IN GENERAL.—Chapter 63 of title 18, United States Code, is
amended by inserting after section 1349, as created by this Act,
the following:
‘‘ 1350. Failure of corporate officers to certify financial reports”
(a) CERTIFICATION OF PERIODIC FINANCIAL REPORTS.—Each
periodic report containing financial statements filed by an issuer
with the Securities Exchange Commission pursuant to section
13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C.
78m(a) or 78o(d)) shall be accompanied by a written statement
by the chief executive officer and chief financial officer (or
equivalent thereof) of the issuer.
‘‘(b) CONTENT.—The statement required under subsection (a)
shall certify that the periodic report containing the financial
statements fully complies with th requirements of section 13(a)
or 15(d) of the Securities Exchange Act of 1934 (1 U.S.C. 78m or
78o(d)) and that information contained in the periodic report
fairly presents, in all material respects, the financial condition
and results of operations of the issuer.
‘(c) CRIMINAL PENALTIES.—Whoever—
‘‘(1) certifies any statement as set forth in subsections
(a) and (b) of this section knowing that the periodic report
accompanying the statement does not comport with all the
requirements set forth in this section shall be fined not more
than $1,000,000 or imprisoned not more than 10 years, or both;
or
‘‘(2) Willfully certifies any statement as set forth in
subsections (a) and (b) of this section knowing that the periodic
report accompanying the statement does not comport with all
the requirements set forth in this section shall be fined not more
than $5,000,000, or imprisoned not more than 20 years, or both.
• COSTS AND BENEFITS
These costs have been relatively evenly spread between internal
costs to position management to be able to attest to the
effectiveness of internal control over financial reporting, external
costs to supplement these internal resources, and additional audit
fees.
The external audit has been described as “the triple audit”—
(a) the traditional audit of the financial statements,
(b) the audit by the external auditor of internal control over
financial reporting, and
(c) the auditor’s attestation of management’s assessment of and
certification to the
effectiveness of internal control over financial reporting.
REVISED DEFINITIONS OF ‘‘SIGNIFICANT DEFICIENCY’’
AND ‘‘MATERIAL WEAKNESS’’
Significant deficiency—PCAOB Auditing Standard No. 2 (2004)
A control deficiency (or a combination of internal control
deficiencies) should be classified as a significant deficiency if, by
itself or in combination with other control deficiencies, it results
in more than a remote likelihood of a misstatement of the
company’s annual or interim financial statements that is more
than inconsequential will not be prevented or detected.
Significant deficiency—PCAOB Auditing Standard No. 5 (2007)
A significant deficiency is a deficiency, or a combination of
deficiencies, in internal control over financial reporting that is
less severe than a material weakness, yet important enough to
merit attention by those responsible for oversight of the
company’s financial reporting.
• Material weakness—PCAOB Auditing Standard No. 5
(2007)
A significant deficiency should be classified as a
material weakness if, by itself or in combination with
other control deficiencies, it results in more than a
remote likelihood that a material misstatement in the
company’s annual or interim financial statements will
not be prevented or detected.
Material weakness—PCAOB Auditing Standard No. 5 (2007)
A material weakness is a deficiency, or a combination of
deficiencies, in internal control over financial reporting, such
that there is a reasonable possibility that a material
misstatement of the company’s annual or interim financial
statements will not be prevented or detected on a timely basis . .
.A material weakness in internal control over financial reporting
may exist even when financial statements are not materially
misstated.
PCAOB Auditing Standard No. 5 (2007) also defines ‘‘significant
misstatement’’ as ‘‘a misstatement that is less than material yet
important enough to merit attention by those responsible for
oversight of the company’s financial reporting.’’
• USING A RECOGNISED INTERNAL CONTROL
FRAMEWORK
FOR THE ASSESSMENT
• Internal Control—Integrated Framework (1992) created
by the Committee of Sponsoring Organizations of the
Treadway Commission (“COSO”) as an example of a
suitable framework
• Guidance on Control published by the Canadian Institute
of Chartered Accountants (“CoCo”)
• Institute of Chartered Accountants in England & Wales
Internal Control: Guidance for Directors on the
Combined Code (known as the Turnbull Report)
 • The SEC’s Final Rule has defined an audit committee
financial expert as a person with all of the five following
attributes:
1. An understanding of generally accepted accounting principles
and financial statements;
2. The ability to assess the general application of such principles in
connection with the accounting for estimates, accruals and
reserves;
3. Experience preparing, auditing, analyzing or evaluating financial
statements that present a breadth and level of complexity of
accounting issues that are generally comparable to the breadth
and complexity of issues that can reasonably be expected to be
raised by the registrant’s financial statements, or experience
actively supervising one or more persons engaged in such
activities;
4. An understanding of internal controls and procedures for
financial reporting;
and
5. An understanding of audit committee functions.
• Under the Final Rules, in order to qualify as an audit
committee financial expert
a person must have acquired the above listed attributes
through any one or more of the following:
• Education and experience as a principal financial officer,
principal accounting officer, controller, public accountant or
auditor or experience in one or more positions that involve the
performance of similar functions;
• Experience actively supervising a principal financial officer,
principal accounting officer, controller, public accountant, auditor
or person performing similar functions;
• Experience overseeing or assessing the performance of
companies or public accountants with respect to the preparation,
auditing or evaluation of financial statements; or
• Other relevant experience; and, if other relevant experience is
what qualifies the
director, that experience must be described.
• RISK AND CONTROL ISSUES FOR THE SARBANES-OXLEY
S. 302 AND S. 404
COMPLIANCE PROCESS
Control Objectives for the Sarbanes-Oxley s. 302 and s. 404
Compliance Process
(a) To achieve ongoing compliance with s. 302 and s. 404 and
associated sections of the Act.
(b) To secure and maintain a reputation with investors and others
for exemplary
Sarbanes-Oxley performance.
(c) To ensure that the company maximises the benefit arising from
s. 302
and s. 404 work.
(d) To control the costs of s. 302 and s. 404 compliance.
• 1 Key Issues
1.1 Has the company defined and implemented a programme for
SOX compliance?
1.2 Is the SOX programme embedded into the business as a
managerial responsibility,
or is it reliant on internal audit and/or bought-in resources to
achieve?
1.3 How has it been ensured that management and staff
understand the meaning
of internal control?
1.4 Have the processes relevant to the SOX programme been
documented, with
the key SOX controls highlighted and described?
1.5 Has the company scripted the tests to be conducted
1.5 Has the company scripted the tests to be conducted of key
SOX controls?
1.6 Is the level and nature of testing sufficient to allow reliable
conclusions to be drawn about the effectiveness of internal
control over financial and other
reporting?
1.7 Do identified “material weaknesses” and “significant
deficiencies” indicate an unacceptable lack of priority being placed
upon effective internal control?
1.8 Are identified “material weaknesses” and “significant
deficiencies” remedied in a timely way, and usually before the
publication of the annual report?
1.9 How does the company ensure that management does not
override controls?
1.10 Does the company have a code of ethics for the chief
executive officer and senior financial and accounting officers, and
how does the company ensure it is appropriate and applied?
1.11 Does the chief audit executive provide assurance to senior
management and to the audit committee of the board as to the
effectiveness of the SOX process?
1.12 Does the audit committee of the board diligently oversee the
external audit process, including the independence of the external
audit firm and their provision of any nonaudit services?
1.13 Does the audit committee possess appropriate financial
expertise?
1.14 Does the company coordinate well with the external auditor
in the SOX process?
• 2 Detailed Issues
2.1 Are the company costs of the SOX programme (a) monitored,
(b) justified and (c) trending downwards?
2.2 Are the external audit costs of the SOX programme (a)
monitored, (b) justified and (c) trending downwards?
2.3 Does the company benchmark their SOX programme against
other companies?
2.4 Has the SOX programme resulted in improved internal control
processes?
2.5 Is the scope of the SOX programme appropriate in that all the
financial statement lines, business units and business processes
are in-scope that could result in “material weaknesses” and
“significant deficiencies” in public reporting?
2.6 Is a recognised internal control framework applied and does it
include an assessment of all of the components of internal
control, not just “control
activities”?
2.7 Why did the company choose the internal control framework
it uses for the SOX process?
2.8 Is there a control register which sufficiently describes the key
SOX controls, and is it kept up to date?
2.9 Is the certification by the CEO and CFO supported by timely
certifications from all the relevant lower levels of the company?
2.10 Is the consolidation of SOX work across the company done
effectively to support the CEO’s and CFO’s overall certifications?
2.11 Is the company standardising its SOX processes across the
business in all locations, to the extent appropriate?
2.12 Is there a SOX review of intended changes to business
processes before their introduction?
2.13 Are key SOX controls documented clearly so that the nature
and quality of these controls can be discerned from the
documentation?
2.14 Are the results of testing clearly recorded and retained?
2.15 Have any restatements of prior year results meant that the
CEO’s and CFO’s certification for the year in question was
erroneous and, if so, were appropriate lessons learnt and
approaches modified?