COMPANY LEVEL CONTROLS A PRACTICAL FRAMEWORK

Transcription

1 COMPANY LEVEL CONTROLS A PRACTICAL FRAMEWORK During the past two years a group of internal control specialists of large Dutch companies listed in the USA have held regular meetings to share experiences and to think of best practices for compliance with the Sarbanes Oxley regulations. In this article, a task force of that group presents a practical framework for Company Level s which the group considers to be best practice. IIA SOX platform In 2003 most large Dutch USA listed firms have started a program or project to get their internal processes compliant with the new Sarbanes Oxley ( SOx ) legislation. SOx section 404 requires management to make an assessment of a company s internal control over financial reporting. The need was felt to have some kind of a platform, which offers the opportunity to meet with colleagues of other companies to discuss the SOx related issues. As a consequence, the Dutch Institute of Internal Auditors (IIA) took the initiative to organise a discussion platform. The main objectives of this group are to share knowledge and experience in implementing SOx in order to develop best practices and to support discussions with external auditors. The following companies have regularly sent a representative to the meetings: ABN AMRO, Ahold, AKZO Nobel, Arcadis, ASMI, ASML, Buhrman, KLM, KPN, Reed Elsevier, Shell, TNT, Van der Moolen and VNU. Company Level s One of the topics that has lead to discussions and differences of opinion is related to Company Level s. Relevant rulemaking bodies have not issued detailed guidance, other than stressing the importance of Company Level s. External auditors also have only published limited guidance. As a consequence, the IIA SOx platform formed a task force, composed of representatives of four companies, with the objective to develop a common standard for Company Level s. This standard should comprise a practical framework and a list of controls which can easily be used to assess Company Level s in the various companies. Participants of the platform were willing to share their documentation, and the task force was able to use this as a basis to develop a framework. The results were presented regularly during platform meetings and lead to ample discussions and exchange of opinions. This resulted in the set-up of a framework of twenty nine key controls in the area of Company Level s. In the following paragraphs we will present this practical framework. What are Company Level s? After the May 2005 roundtable with key SOx stakeholders, both the SEC and the PCAOB commented on the strong criticism resulting from the experiences with year one SOx compliance. The comments directed focus of SOx compliance to a top down risk based approach, with a strong emphasis on Company Level s instead of a focus on transactional controls. What are Company Level s? The PCAOB gives some examples, although it did not come up with a definition. We regard Company Level s as controls that have the following characteristics: they exist on a higher level than transactional controls; and, set positive conditions and boundaries for the transactional controls; and, are the internal control infrastructure.

2 PCAOB section 53 Audit standard 2 of the PCAOB gives guidance to auditors on how to assess controls as part of an audit of internal control over financial reporting. Section 53 (see frame) gives examples of Company Level s. These examples cover all five components of the COSO framework. Therefore, we based our framework on COSO, taking into account the guidance from Section 53. PCAOB AS2, section 53 Company-level controls are controls such as the following: - s within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units (See paragraphs 113 through 115 for further discussion); - Management's risk assessment process; - Centralized processing and controls, including shared service environments; - s to monitor results of operations; - s to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; - The period-end financial reporting process; and - Board-approved policies that address significant business control and risk management practices. Company level control framework The framework (fig. 1) visualizes the posistion of Company Level s and the nature and focus of Company Level s within the COSO framework. It shows that the basis for Company Level s are in the, the tone set by the top of the organization which has a pervasive effect on the control consciousness and effectiveness of controls in an organization. Another important aspect of Company Level s is ; i.e. the procedures a company uses to ensure that controls throughout the organization work according to plan. Information and Communication is crucial in implementing Company Level s; top-down information streams help company management to ensure that their (strategic) management decisions lead to appropriate action on the operating level. Bottom up information provides management with insight on how their strategies are being dealt with on operating level and provides information top management uses for their Risk Assessments. Based on the assessment of risks, are implemented to ensure that management s objectives are met.

3 External factors External demands Business: Market demands Compliance: Sox / Tabaksblat performance Regulators Company hierarchy Internal response Company Level s communication Risk assessment environment : activities communication Supervisory board Audit committee Executive board Group mgt Opco mgt Process owners Fig. 1 The standard set of Company Level s We have identified a set of 29 controls which fits in this framework and which forms in our view, the best practise set of Company Level s. In some instances individual companies may identify more topics based on their own organizational structure. However, we do not believe it is feasible that companies have less 1. The best practise Company Level s are listed below: # Relevant item Category Most appl. COSO element 1 Manual (existence, availability, authorization, changes discussed and approved) Communication 2 Mandatory training plan for accounting personnel (monitoring of progress) 3 Senior management periodically reviews an overview of accounting, reporting and internal control issues. (progress is monitored and reported in management meetings) 4 Senior Management ensures that certain high risk processes and related significant accounts are only processed and recorded at or via the corporate level. (e.g. (deferred) tax, goodwill and other intangibles, investments in subsidiaries). 1 This has been confirmed by meetings with representatives of the big four audit firms.

4 5 Bill of Authority/ Authorization table - procuration at the top / senior level (delegation of authorization) (availability, periodic update and authorization) Assignment of Authority 6 Senior Management consciously and willingly sets and maintains an appropriate Tone at the Top. (e.g. communication throughout the year and behavior examples set by senior management). 7 Code of Conduct and disciplinary actions in case of violations. (availability, confirmation of compliance, follow up of deviations) 8 Fraud Risk assessment, appropriate anti fraud programs and reporting on fraud instances. (availability, authorized and monitored) 9 Corporate management exercises oversight on litigation and communication with (financial) regulators. 10 Periodically divisional/ operating company review meetings by the Corporate Management Team are held. (consistency of Corporate and Division objectives, Actual divisional/business unit/operating company results are compared to budget) Business Planning and Performance 11 Self assessment of Audit Committee on its own performance. (assessment performance against charter, relationship / performance of inen external auditor, activities and competencies of Audit Committee members) Corporate Governance 12 The Audit Committee exercises appropriate oversight on internal control matters by the Audit Committee. (open communication with senior financial management, in- and external audit) Corporate Governance 13 Audit Committee ensures that open communication with in- and external auditors is established and maintained (approval audit plan, active participation in meetings, private meetings) Corporate Governance 14 The department reviews the organisational design and the availability of job descriptions. (key financial positions) 15 A pre-employment screening procedure is in place. (implementation instructions, define for which functions screening is required) 16 Realistic targets are set and used in performance measurement (undue pressure, mixed (finance, compliance)) 17 resource policies available (adequacy of hiring, retention and promotion process)

5 18 Agreement on future system development and ongoing IT projects. (IT strategic plan aligned to the business plan for development of information systems) Information Management 19 Independent reporting line from Internal Audit to Audit Committee Internal Audit 20 Periodic report from Internal Audit to the Audit Committee on performance. (staffing, progress of the audit plan, the effectiveness of Internal Audit, approval of Internal Audit charter) Internal Audit 21 Senior Management monitors the outcome of the periodic process regarding Letters of Representation (or in-control statements) issued by divisions / business units / operating companies. (accounting standards, code of conduct, control standards, signoff structure) Compliance / Internal Function Communication 22 of the status of identified control issues via a control remediation progress reporting. (among others: number, nature, remediation, progress) Compliance / Internal Function 23 Management performs risk assessment and assesses likelihood and impact. (analyze, plan, do, check, act) Risk Management Risk Assessment 24 The Supervisory Board reviews corporate strategy and approves the annual budget. (non-executive board) Strategic planning 25 The audit committee ensures existence, availability, appropriateness and communication of the Whistle-blower procedure. (independent reporting, anonymity, performance reporting to Audit Committee on reported instances and resolution) Whistle-blower 26 Budget process in place (related to strategy, quantifies goals, regular reporting reviews) Business Planning and Performance 27 Design of bonus plans ensure no incentive exists that could lead to improper financial reporting. (incentives are based both on financial and non-financial goals, long term development of the company, senior/executive personnel) 28 Ensure disclosure meeting is held quarterly to discuss details of PL/BS with Finance, Legal and Management 29 New business meetings with board, group control, legal and IT to discuss the impact on financial reporting, legal implication and IT when the new business is implemented. Risk Management Risk Assessment To elaborate on the relevant control items stated above, the following three examples are given. These examples provide more insight in the required documentation and evidence. The examples also give detailed information on what testing should include. Testing of Company Level s is characterized by the fact that the control description is in many cases focused on the existence of formal documentation such as authorized policies, agenda of meetings, minutes of

6 meetings, reports on performance. The test work programs will therefore to a large extent focus on the documentation identified already in the control descriptions, the implementation of relevant policies and the actual operation of the policies and procedures. Evidence and documentation Testing considerations CLC nr 1: Manual Ensure existence of: Availability of the Accounting & manual, including communication plan; Documented comments of internal / external auditors, including follow up; Approval by senior management; Change procedures for Accounting & manual. Verify whether: Reviews of the Accounting & Manual are done regularly to ensure timely updates to changes in applicable GAAP; documentation of these reviews exist; Changes to the Accounting & Manual are formally approved by senior management prior to release and distribution; Applicable finance staff has access to most recent Accounting & Manual (effectiveness of communication). CLC nr 7: Code of Conduct Ensure existence of: Authorized Code of Conduct is made publicly available (e.g. on company website); Annual confirmation on compliance with Code of Conduct is being organized; Annual evaluation of deviations from the Code of Conduct (e.g. Letter of Representation, ethics committee) by appropriate management; Periodic reporting on instances, remediation and action plan of deviations for the Code of Conduct. CLC nr 12: Self assessment of Supervisory Board on its own performance Verify, based on interviews with a number of employees at various levels in the company, whether they are aware of the Code of Conduct and that the code is frequently addressed by Senior Management in communications, e- mails, etc.; Verify annual confirmation for a sample of employees; Check whether the current version of the Code of Conduct is published on the intranet; Verify the existence of formal reporting procedures regarding violations of the Code of Conduct; Verify, based on the minutes of meetings, that deal with the violations, whether all violations reported are discussed, disciplinary actions defined and follow-up actions are initiated. Ensure existence of: Supervisory Board Charter, including a description of profiles and competencies of Supervisory Board members; Self assessment scheduled (agenda) by Supervisory Board; A questionnaire or other tool that ensures that the self assessment is done in a structured way and that all relevant matters are addressed; Result of self-assessment is formally documented and is agreed by Supervisory Board. Verify whether: Written evidence of these self-assessments exists (agenda, minutes and summarized questionnaire); The self-assessment is guided by the questionnaire and conclusions are established; All members of the Supervisory Board participate; Agendas and minutes of the meetings and, if applicable, follow-up actions are formally identified and results of previous actions are evaluated.

7 IIA platform going forward The Sarbanes Oxley act of 2002 has kept companies very busy over the past few years. Because of the complexity of the subject, the (Dutch) IIA initiative to organize a SOx-platform group proved and still proves to be a very valuable initiative. We will continue to meet, and we might share some of our thinking in this magazine. Our framework for Company Level s is in our view a good example of how the IIA can contribute to improved governance and enhanced internal controls in The Netherlands. We welcome readers of this article to provide their comments in order to improve the practical framework. About the authors: The IIA SOx networking Group is open for project leaders of US listed companies, located in the Netherlands. Drs. Ronald Bouman RA has experience with SOx at TNT and is currently interim SOx consultant at Van Der Moolen. Next to SOx he is focussing on Basel II and Solvency II. Drs. Jaap Gerkes RA has gained Internal and Risk Management experience at VNU. Currently he is a senior manager in the Dutch office of Protiviti, Independent Risk Consulting. Drs. Wilbert Jan van der Werf RA is employed at the Koninklijke Ahold N.V. in the SOx area. Drs. Heiko van der Wijk RA CIA gained SOx experience at KPN (till 2005) and is presently employed at KLM in the SOx area. He is also a board member of the IIA.