Control activities mitigate risks to help ensure that operating, reporting and compliance objective are met. A lapse in awareness, judgment, or action can prove disastrous. Identifying proper controls for you size, industry and operating environment is essential for success. While financial reporting control often gleam much of the attention, controls are necessary to help reach all corporate objectives, including regulatory compliance and strategic planning initiatives.
Internal Controls over Financial Reporting (SOX-404)
Popularized by Section 404 of the Sarbanes-Oxley Act (SOX), internal control over financial reporting (ICFR) continues to demand a lot of attention, and costs. Specifically, U.S. public companies must include in their annual 10-K report as filed with the SEC, a report entitled Management's Annual Report on Internal Control Over Financial Reporting (Annual Report on ICFR). There are four disclosure requirements to the Annual Report on ICFR as follows:
This effort, like any, involves risks and opportunities. Done correctly, management’s assessment of ICFR will help keep the company within the good graces of the SEC, investors, creditors and other stakeholder groups. However, this involves understanding and applying the wide variety of controls that collectively define ICFR. This includes entity-level controls, manual accounting controls, IT general controls and software application controls. The Kral Ussery team brings a complete set of tools and knowledge basis to assist management in virtually any aspect of the ICFR evaluation.
Information Technology General Controls and Cybersecurity Accountability
Robust IT general and application controls are critical for any organization. We apply a variety of frameworks, including COSO’s Internal Control – Integrated Framework and ISACA’s Control Objectives for Information and Related Technologies (COBIT framework) in helping clients design and test their IT controls. This includes access, security (i.e., cybersecurity) and change management that often rise to the top of external auditors’ concerns in evaluating risks. Cybersecurity is one of the hottest topics in boardroom and management circles, and rightfully so. We can help you develop an effective cybersecurity risk management strategy.
Entity-Level Controls via the COSO Frameworks
The heart-beat of strong controls is clearly in the hands of people. While the movement to automate controls has appropriately gained momentum in an effort to reduce testing efforts and maximize operating effectiveness, the majority of entity-level controls rely upon people. Investing in your people and culture, which is the essence of entity-level controls, is a company’s safest bet to avoid material weaknesses and gain cost efficiencies. Competent people working within a healthy control environment will do more to reassure your external auditors than anything you can provide on the costly documentation front.
Entity-wide controls include the control environment, risk assessments, information, communication and monitoring activities. This include the infamous “tone-at-the-top.” Indeed, it is ultimately people who establish and oversee company objectives and the underlying controls to reach them. Unfortunately, the reality is that many companies continue to struggle on this front. Here are some suggestions in addressing risks through control assessments:
The Internal Control – Integrated Framework, created by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is by far the most common framework used by SEC registrants for evaluating ICFR. We believe that this is an extremely powerful framework for addressing all types of controls, including entity-level controls.
As the shareholders’ eyes and ears on management, the board of directors must provide oversight to help ensure corporate objectives are met. Many governance experts agree that while board members should not be micro-managing their companies, they should ensure sufficient monitoring of management’s key decisions and actions. Kral Ussery LLC understands these dynamics and works with boards and their committees to provide a healthy degree of monitoring through special reviews, controls and internal auditing.
Boards must keep a pulse of the most significant risks to the entity’s business model as well as executive management performance. Likewise, the C-Suite needs to know what risks may be hidden from view today that can cause problems tomorrow. All board members and managers with governance, risk and compliance responsibilities need to be comfortable that their controls are well established and operating as designed. The proper alignment of people, process, technology and data is essential in growing shareholder value. We work with boards and management teams in helping ensure that controls are effective through robust design, accountabilities and communications.
Board and Committee Assessment Tools
While many tools exist for evaluating boards, most of them simply evaluate whether the organization meets basic fiduciary or regulatory requirements. Compliance with legal regulations is a must, but boards wishing to make a real difference need to set the bar even higher.
Kral Ussery offers a suite of board-evaluation tools ranging from self-administered questionnaires to anonymous surveys and facilitated sessions. Our tools assess entire boards, both statutory or advisory, individual directors, or specific committees such as audit, compensation and nominating. Our evaluations address critical success factors such as: