Written by Steven Randall, Partner, Vonya Global
Prior to 2013, the Securities and Exchange Commission (SEC) had permitted companies in fraud cases to settle without admitting to any wrongdoing; this meant that even in serious cases of accounting fraud, companies could simply walk away without admitting their malfeasance despite the loss of millions on the part of investors. However, in 2013, the SEC made important changes to the whistleblowing process and began enhancing accountability by demanding admissions from companies in settlements.
In order to help companies comply with Section 404 of the Sarbanes-Oxley Act (SOX 404), the Committee of Sponsoring Organizations of the Treadway Commission (COSO) created an updated framework which clarifies five specific areas for internal controls and 17 principles within those areas. The 2013 version of SOX 404 superseded the original 1992 version as of December 15, 2014, although the old practice of allowing settlements without admissions continues in many cases. The SEC is now more likely to demand admissions for cases in which many investors were hurt, the behavior caused a significant risk to the market, intentional misconduct or obstruction took place, or when the admissions themselves and disclosure of the facts could inform investors and send an important message to the market, generally.
Still, no company should risk being in the position of receiving a demand for admissions from the SEC. Here are the areas of concern set forth by the new guidelines:
Implement the 2013 COSO Framework
Despite the apparent lack of progress in some areas, best practices demand that companies follow the new framework, which retains three types of objectives: compliance, operations, and reporting. In other words, your internal controls for SOX compliance should involve more than financial reporting. Heightened scrutiny demands this process be more closely controlled.
Evaluation of Existing Internal Controls Company-wide
The 2013 framework makes it clear that internal controls should be applied company-wide. Senior management must set the standard, emphasizing corporate ethical expectations, codes of conduct, and the importance of internal controls. To ensure that your existing monitoring and governance safeguards are in compliance with the 2013 framework, reassess their role within the SOX 404 program.
Dynamic Risk Assessment Program
New guidelines suggest that companies keep a dynamic risk-assessment program in place which accounts for important shifts in operations and adjusts to emerging, external, and internal risks. Management must be formally involved in the ongoing risk assessment of changes and possible changes in internal controls; complex non-routine processes; emerging risks and issues being experienced by peer companies and in the industry at large; fraud risk assessment; manual and end user-dependent processes and tools; and interdepartmental processes which necessitate data exchanges. To maintain accurate qualitative risk management, this process must be ongoing.
Outside Service Providers
Organizations are increasingly relying on outside service providers (OSPs), so internal controls must monitor these interactions carefully. Of the 17 principles set forth in the 2013 framework, 12 of those are focused on the use of OSPs. Companies should include OSPs in their ethics and compliance programs because the new framework places so much emphasis in this area.
Fraud Risk Factors And Assessment
Evaluations of fraud risk factors like attitude, incentives, and rationalization are also part of the new guidelines. In response, companies should ensure that their existing risk assessment procedures address all types of fraud, including financial reporting fraud and the misappropriation of funds. Internal controls that cover external financial reporting and OSPs may demand modification to stay in step with the newer guidelines.
Information Systems And Internal Controls
The 2013 framework addresses information systems and technology in nearly all of the new principles. This is related to the dramatically increased importance of data and information systems and technology to internal controls. To ensure compliance, company information must be verifiable, current, complete, and accurate.
The framework also acknowledges the effective collaboration between various departments as significant to financial statement disclosures. As a result, companies should assess and document expected and actual information flow and the end-to-end process. They should also clarify the roles of various departments in the internal controls process. Companies must identify which internal controls manage information quality for data used in disclosures. Finally, they should reassess and adjust complex processes, including those that concern OSPs.
The Bottom Line
Some companies are lagging in their implementation of the 2013 COSO framework, and it’s crucial that they implement and execute it now. Compliance may demand more investment of time and more detailed processes. This new tone must be set by senior management; the attitudes that an organization’s leadership displays towards the audit process shape the overall company culture of ethical compliance. These issues will continue to be important to the SEC as it investigates cases.
This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services; a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors; a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research; the President of the Oz Park Baseball Association, a not-for-profit organization dedicated to providing fundamental based baseball in a safe environment in the city of Chicago; and an Advisory Board Member of the Chicago Youth Baseball Initiative, a University of Illinois at Chicago community group dedicated to providing Chicago youth with the opportunity to play baseball in a fun and safe environment, while offering educational experiences on a world-class college campus. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a question for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.