Marks on Governance No Description Blogo Fri, 18 Apr 2014 03:05:43 GMT en-us Tim Leech Norman:   Unfortunately, I expect a large percentage of U.S. listed companies are/will soon be busy mapping controls to COSO principles diverting valuable resources away from rigorous assessment of the statistically probable risks that threaten the objective of reliable financial reporting.  The SEC and PCAOB, not Congress, decided to require registrants opine against a "suitable control model".   Unfortunately the current guidance is vague on when the  COSO "mapping" exercise recommended in the recent IIA Compass report discloses deficiencies to the point they can no longer claim to have "effective" controls in accordance with COSO 2013.   The article my daughter and I authored titled Preventing the Next Wave of Unreliable Financial Reporting: Why US Congress Should Amend Section 404 of the Sarbanes-  Oxley Act  describes what we think US. Congress should do if the real goal is improving the reliability of  U.S. listed financial statements.  It can be accessed with a simple Google search.   I fear the SEC and PCAOB will sit on the sideline for a couple of years to see how many companies and auditors do, in fact, treat SOX 404 like a checklist/mapping exercise, at least in part.  A number of excellent white papers have recently postulated that there is a human tendency to want to audit what is easy, not what is really key to high certainty an objective will be achieved.  Time will tell how many decide "mapping" controls to principles is easier than actually identifying and assessing the real risks to reliable financial reporting.

]]> Wed, 16 Apr 2014 20:11:45 GMT
Norman Marks  Thanks, Dan. This is an excellent opportunity (a risk assessment of the principles) to understand where the financial reporting risks lie and to remove from scope some of the 'old' and unnecessary entity-level controls we had in the past.

]]> Tue, 15 Apr 2014 23:16:16 GMT
Dan Gaffney  Norman-I do agree on SOX scope to include only those key controls relied upon to either prevent or detect a material misstatement.

I see your point and in my approach, the mapping exercise would show that achieving some COSO principles in one organization may not be applicable but in other organizations with a different control structure, the failure to achieve the same principle may represent a financial reporting risk.

]]> Tue, 15 Apr 2014 23:05:26 GMT
Norman Marks  Dan, would you agree that the SOX scope should include only those key controls relied upon to either prevent or detect a material misstatement?

If so, why include controls where a failure to achieve a COSO principle would not, directly or indirectly, represent a financial reporting risk?

]]> Tue, 15 Apr 2014 21:12:00 GMT
Dan Gaffney Thank you Norman and Tim.

I haven't considered the COSO update as a checklist approach but a mapping of controls to principles that provide management and the external auditors with a better understanding of the overall control structure for SOX.

And if organizations were following the original framework as a process for meeting their SOX objectives, there shouldn't be a great degree of work to be done in the update.

I appreciate the dialogue and perspectives. Thanks.

]]> Tue, 15 Apr 2014 21:02:07 GMT
Norman Marks  Tim, I think I quoted from AS5, referenced the October Staff Alert, and quoted from the PCAOB Board member speech.

They continue to emphasize the top-down approach, have not updated it to require addressing all the Principles, and if you read the PCAOB Board member speech, they say that completing a checklist is a lost opportunity.

On the other hand, if you are looking at the organization's system of internal control beyond SOX, at how objectives in general are achieved, you can't argue that all of the principles are important and need to be considered.

]]> Tue, 15 Apr 2014 17:42:39 GMT
Tim Leech Norman: I agree 100% that SOX 404 should be top-down/risk-based.  I thought you might find it interesting that this month's issue of IIA Your Career Compass calls for an "inventory of where your organization stands regarding the 17 principles".  Perhaps I'm missing something, but that still sounds like a checklist to me.   The article then calls for mapping controls to principles which likely provides more flexibility to claim controls are effective in accordance with COSO than mapping principles to controls.  I would be interested to know if, based on your discussions with the PCAOB, they think there needs to be an "inventory" against COSO principles.

]]> Tue, 15 Apr 2014 17:03:17 GMT
Norman Marks  Alban, why is "managing risk at the speed of the business" a 'suicidal business decision'?

Every time you make a decision it involves managing risk.

]]> Tue, 08 Apr 2014 19:24:38 GMT
Alban N.C. Onwuliri Johan,

Yes, I agree in absolute term with your comments that EMR is essentially 'control', but I 'm of the view that managing risk at the speed of the business is a 'suicidal business decision'. No matter the risk premium in the market, the essence of EMR and the objective of the firm cannot be relegated to the back ground. Risk is measurable so the capacity of the firm and the firm's risk tolorence level is of essence and should be given due consideration.

Iam enjoying your comments



]]> Tue, 08 Apr 2014 19:00:55 GMT
Norman Marks  SBP, we can disagree on whether the organization took on more risk by investing in lower grade (and therefore riskier) products.

On your questions, 1) in those days we didn't use risk management language, just the language of the business. She talked to the Treasurer (Corporate officer) about the level of risk he was willing to take on overnight investments and then compared that to the overall risk attitude of the organization. They appeared out of sync so the matter was raised to senior management (CFO) for resolution. 2) This was the corporate Treasury function.

]]> Tue, 08 Apr 2014 16:32:58 GMT
SBP I do not think she recommended that the organization take on more risk.  Rather, she recommended that the objectives of the business unit should be in line with the overall objectives of the organization.  A couple of questions come in mind: 1) Did she examine the risk appetite of the business unit itself? 2) Was the organization purposely asking this business unit to take on less risk in order to diversify its risk takings?


]]> Tue, 08 Apr 2014 13:32:40 GMT
Norman marks  Kiersyn, entity level controls are of two types: those that may be relied on to prevent or detect a material error, and those that have an indirect effect. This is explained in AS5 and the SEC Interpretive Guidance. Of course, I think the best explanation of how to address them is in my book! You can find it on Amazon or in the IIA Bookstore

]]> Thu, 03 Apr 2014 17:35:11 GMT
Kiersyn Hi Norman,

Thank you for your insightful comments.  Our company is beginning to transition to COSO '13.  We were mapping the Principles to our controls; I like your thoughts much better!  My question is this - how do entity level controls factor in - or what your thoughts on them as they relate to the Principles and the transition to COSO '13?  Thanks!  Kiersyn

]]> Thu, 03 Apr 2014 16:38:17 GMT
Paul Reichel FCA 'Time to think' - an interesting topic to set against budget constraints. I remember my worst experience of a SOX review, in a small subsidiary of a US Corp here in Germany, where we were visited virtually on an hourly basis (No joke!) and were asked if we could perform faster and get out of their hair - release their opertaional staff from this bureaucratic burden (?!) Curiously, this brought about only one result. I was forced to report back that their were acting so strangely it was almost as if they had something to hide! They were consequently subject to even more onerous bureaucratic burdens, sponsored by the Corporate Controller. Oh well! Such is life!


]]> Tue, 01 Apr 2014 16:53:20 GMT
Paliam Loganathan Mon, 31 Mar 2014 18:39:39 GMT Dan Gaffney Thanks for sharing these points as perspective, Norman. 

Appreciate you reiterating that the PCAOB has not issued new guidance or standards since AS5. I think that's the key point in this discussion and in my experience, management and auditors are not yet clear on this point.

Very well summarized.

]]> Sun, 30 Mar 2014 18:43:14 GMT
Norman Marks Tim, thank you for the comments and explanation.

The risk where the CFO/Controller is not technically qualified is the very first potential material weakness that I reported to the audit committee after I joined Maxtor as CAE, with SOX program management in my area. The risk is specifically identified in AS12 (one of the auditing standards released in 2010 that few in management seem to be familiar with).

Collusion is a major issue, and fraud at the top has been a concern with every external audit firm I worked with as CAE. I believe that is one of the reasons why they always do their own review of journal entries posted around the time of the close.

Here is the link for those who have not seen them to the 2010 auditing standards (all released in one package as appendices to this report:


]]> Sun, 30 Mar 2014 14:59:56 GMT
Tim Leech Norman;  I understand the points you are making.  My observations are based on the fact that my firm provides SOX 404 and Canadian equivalent services to clients and I, like you,  have trained tens of thousands of SOX specialists since 2004.  I regularly see evidence that the most statistically probable risks are not being identified and formally evaluated.  A simple example is the risk "CFO/Controller technically not current with GAAP".  How many internal SOX programs or external audit firms actually evaluate the professional development program followed by the CFO and controllership staff with specific focus on the actual training taken each year.? Restatement statistics regularly show this to be a significant risk to materially reliable financial statements.  Another example is "CFO and CEO collude to misstate the FSs".   Perhaps these are seen as too sensitive to actually assess how good the controls are for this type of risk.   Another example is the frequency that I see real research using tools like Audit Analytics to identify the most statistically probable material misstatements.  (not often)   True risk management does not rely on "brain storming" and sitting around a room throwing out ideas.  It seeks to obtain fact based information on risks.  I haven't seen any specific guidance from the PCAOB that calls for the risk identification phase to go beyond brain storming, interviews and discussion. The focus continues to be on control documentation and testing.   Recent research indicates tax provisions are still a statistically high cause of restatements.  That suggests ICFR work in that area needs improvement.

]]> Sun, 30 Mar 2014 14:38:43 GMT
Norman Marks Tim, a few comments:

1. This was not an official PCAOB speech. It was by a member of the PCAOB Board, speaking for herself (although I would be astonshed if the full Board and staff disagreed).

2. The Examiners did not say the external auditors were "deliberately misleading clients". While I know of companies whose auditors are telling them 'untruths', the auditors involved probably believe they are true statements because of what their leadership is telling them about the Gestapo examiners.

3. Nobody's ICFR has been flagged as "inadequate". The audit of ICFR was flagged as inadequate: insufficient evidence was obtained to support the external auditors' assessment of ICFR.

4. It is the SEC and not the PCAOB that recognizes internal control frameworks. They are bound by the law, SOX, to recognized internal control frameworks. However much I prefer ISO 31000 to COSO ERM, neither is an internal control framework and neither has been nor should be recognized.

5. AS5 is not intended to call for "best global practice in risk management". It is intended to direct external auditors in their risk-based assessment of ICFR - and, by the way, the top-down process in AS5 and SEC Interpretive Guidance, and repeated in the Staff Alert, is consistent with ISO 31000.

]]> Sun, 30 Mar 2014 14:20:20 GMT
Tim Leech Norman; Thanks for drawing attention to the PCAOB remarks.  It would seem to me however that, if some external auditors are deliberately misleading clients in the area of ICFR to justify higher hours or avoid alerting clients that their ICFR has been flagged as inadequate, stronger action than comments during a speech are warranted.  I believe one way to correct the type of deficiencies identified in the PCAOB October 2013 guidance would be to indicate COSO ERM 2004 and ISO 31000 are "suitable: frameworks.  As long as the PCAOB restrict their list of approved frameworks to "control criteria centric frameworks with the 17 principle COSO 2013 being the de facto model both clients and external auditors will continue to focus on the control criteria  dimension in their assessments, instead of focusing on the statistically most probable risks clients face by business sector linked to reliable financial reporting. In my opinion , as the old saying goes, the PCAOB is reaping what it sows in its requirements and guidance..  The argument that AS 5 clearly calls for methods that reflect best global practice in risk management is simply patently wrong. .

]]> Sun, 30 Mar 2014 13:56:22 GMT