control, and governance
control, and governance
April 2006
A Case for Responsible Reporting
In considering ways to improve internal control over financial reporting, organizations should look to corporate responsibility reports.
Bruce McCuaig, CA–CIA, CCSA
Principal Consultant
Paisley Consulting
Over the past three decades, frequent, repeated, fundamental failures in the governance of financial reporting have led to public outcry, special commissions, and regulatory change. Communities, suppliers, consumers, pensioners, and others have been impacted dramatically by corporate financial misconduct. By any measure, the consequences of corporate governance failures have reached well beyond those with direct economic interests in corporations.
There is little objective evidence that the reliability of financial reporting has improved in the last 30 years, despite the billions of dollars invested in attempts to do so. Efforts to address the issue have included the National Commission on Fraudulent Financial Reporting (known as the Treadway Commission) in the 1980s, The Committee of Sponsoring Organizations of The Treadway Commission's (COSO's) Internal Control–Integrated Framework in the 1990s, and the U.S. Sarbanes-Oxley Act of 2002 with its resultant Auditing Standard No. 2 (AS2) from the U.S. Public Company Accounting Oversight Board (PCAOB). However, fraudulent financial reporting and corporate governance issues remain. Do the requirements for internal control effectiveness opinions and deficiency reporting under Sarbanes-Oxley and AS2 provide enough information to satisfy all stakeholders that corporations have sound internal control, compliance, and governance frameworks and that the reliability of financial reporting is improving? Are new solutions needed?
There is a significant opportunity for internal auditors to develop and implement cost- effective, sustainable approaches that go beyond current regulatory requirements for reporting on the reliability of internal control over financial reporting, as well as to improve corporate governance and compliance, generally. In the last 30 years, corporations have achieved dramatic improvements in safety, quality, environmental, and other areas — but not in the reliability of financial reporting. There is an opportunity to go far beyond those minimum standards by borrowing from the successful techniques of our colleagues in other assurance professions and revising our disclosure and reporting frameworks.
What is needed is a fresh approach combined with innovative thinking. One model that auditors can draw from is the corporate responsibility report. Used by assurance professionals in the health, safety, environmental, and compliance areas, the corporate responsibility report is rapidly becoming a valuable source of detailed information — in addition to annual reports and regulatory filings — for all stakeholders. Internal auditors can dramatically expand the organization's reporting on internal control over financial reporting, corporate governance, and compliance using this medium.
CORPORATE RESPONSIBILITY REPORTS
Corporate responsibility reports are public documents directed toward stakeholders who do not have a direct economic interest in the corporation and whose information needs are not necessarily met by routine financial and regulatory reporting requirements. Typically, corporate responsibility reports deal with environmental, safety, supply chain, human rights, and social issues. They are becoming much more common, in some cases as separate documents, in other cases as part of a company's annual report. In fact, the June 2005 KPMG International Survey of Corporate Responsibility Reporting found that corporate responsibility reporting has been rising steadily since 1993 and has increased substantially in the past three years.
Public companies demonstrate in their corporate responsibility reports objective evidence that they have reduced environmental damage and improved worker and community safety, product quality, and working conditions. They describe in great detail the results of their various programs. The quantity and quality of information on these programs far surpasses information available in most annual reports on internal control, corporate governance, and compliance. For example, in its 2004 report on environmental compliance, Inmet, a Canadian mining company operating in remote locations, published a table tracking incidents of petroleum spills of less than 1 liter.
Corporate responsibility reporting is extremely relevant to the internal audit profession for two reasons: First, the tools and techniques used by fellow assurance professionals may prove equally useful to increasing the quality and quantity of information available to stakeholders on financial reporting, compliance, and governance issues. Second, as corporate responsibility reporting increases, appropriate new assurance standards will be required and internal audit services will be sought. Companies reporting on human rights, supply chain management, and environmental compliance will want their assertions audited. The internal audit profession has the global presence and experience to assist in developing the necessary standards and to provide assurance reports.
IDENTIFYING REPORTABLE INCIDENTS OR CONDITIONS
Much has been written about the need to report internal control deficiencies under Sarbanes-Oxley. In a February 2006 presentation to the U.S.. Securities and Exchange Commission (SEC), the Institute of Management Consultants (a COSO member organization) quoted from a preliminary study indicating that more than 70 percent of survey respondents blamed a "lack of any practical guidance from the SEC on what constitutes a [significant deficiency] or a [material weakness]" as a major factor in escalating Sarbanes-Oxley compliance costs. The reporting philosophy embraced by the act calls for deficiencies to be assessed against broad, subjective standards.
Other regulators and assurance professionals adopt a radically different approach. For example, the threshold for reportable incidents commonly used by safety professionals is set broadly to include "any incident that is neither planned nor typical of normal operations." They tend to identify and report the lowest common denominator of an incident and extensively aggregate, analyze, and classify incidents to identify trends and root causes. Few, if any, corporations have defined and implemented any reportable incident policy for internal control, compliance, or governance issues.
Internal auditors have a central role to play in defining in common language — from a financial reporting, governance, and compliance perspective — what constitutes a reportable incident or condition for their companies. If reports of oil spills of less than 1 liter are relevant from an environmental control reporting perspective, what types of incidents or conditions are relevant from the perspective of internal control reporting? Should unexplained amounts in bank reconciliations be reported and tracked? Should vacancies in key financial positions be disclosed? Internal auditors have a role to play in developing standards to ensure incidents are interpreted and reported consistently across the enterprise. Competent, credible incident reporting requires careful definition and consistent application of definitions and reporting standards.
SHIFTING ACCOUNTABILITY FOR INCIDENT REPORTING
In the financial reporting world, much of the responsibility for detecting and reporting deficiencies or incidents falls on auditors. In the safety, quality, environmental, and many other assurance areas, responsibility for reporting incidents rests with management and workers. In the safety world, frontline workers routinely report near misses. Equipment operators report oil spills. Robust, complete reporting relies on active, willing management and worker participation.
In the world of internal control over financial reporting, rigorous incident reporting is an alien concept. Detailed incident reporting standards did not exist in the professional literature before Sarbanes-Oxley, and reporting rules in AS2 are unclear. Internal auditors have a critical role to play in designing mechanisms to ensure managers and workers recognize incidents and conditions and that reporting takes place. This will require internal auditors to assist in the development and implementation of reporting tools, forms, hotlines, Web sites, and related training.
ANALYZING ROOT CAUSES AND MEASURING IMPROVEMENT
Public disclosure of reported deficiencies under Sarbanes-Oxley rules defies most attempts at classification, aggregation, or root cause analysis. A recent study by the Financial Executives Research Foundation (FREF), Control Deficiency Reporting and an Analysis of Filings During 2004, indicated only one of the 329 companies that reported deficiencies in the period covered used the COSO categories to classify their deficiencies. Of the large cap filers in the group (greater than US $1 billion in market cap), 22 percent of the deficiencies reported were so vague the study could not reliably classify them into any COSO category. The balance of the deficiencies was attributed to the COSO categories by the authors of the study.
Improvement in internal control over financial reporting requires extensive classification of deficiencies and root cause analysis. COSO's Internal Control–Integrated Framework is the most, if not the only, accepted authoritative source available for classifying internal controls and control deficiencies. However, the ferf study shows that it is not being used. Improvement in internal control over financial reporting and improvement in governance and compliance requires an understanding of what went wrong and the root cause of the failure. For example, if an employee fails to comply with a policy, is it because the employee did not know the policy existed, did not know it was important, did not know how to comply, did not know he or she wasn't complying, didn't care, or was too busy? If the root cause of policy compliance is not known, the remediation will likely be misdirected. All of the potential root causes mentioned here, as well as others, are addressed in specific categories of Internal Control–Integrated Framework.
Internal auditors are in a unique position to develop the taxonomy required for root cause analysis of incidents and deficiencies across industry sectors and to develop standards required for aggregation of deficiencies, root cause analysis, and best practice remediation.
CLEARLY DEFINING INTENDED RESULTS
Safety, quality, and environmental professionals set clear, aggressive, objective outcomes and targets for every activity in every level of the organization. They measure performance and aim for continuous improvement. Specific targets for safety, quality, and environmental performance are set for individual plants, products, and business lines. The targets and commitments are frequently made available on Web sites and published in annual reports. They can be compared from year to year and often from company to company. In its 2004 corporate responsibility report, Ford Motor Co. clearly identifies targets and progress in improving the fuel economy of sport utility vehicles. Other automobile manufacturers discuss vehicle safety performance.
Internal audit professionals should embrace the same practices. Auditors can measure the historical reliability and variances of specific financial processes and disclosures and continuously improve them. For example, the monthly adjustments required to correct revenue accruals or to adjust book-to-physical inventory can be tracked and measured by business unit and over time. The accuracy of an accounts payable process in paying properly approved invoices to valid vendors can be measured and tracked. The rate at which hacking incidents occur and are detected can be measured and tracked. In those areas where a company is most at risk for internal control, compliance, or governance issues, performance statistics of key processes can be measured and tracked.
Internal auditors have a unique perspective and ability to identify critical processes and develop meaningful performance measures for their industry and organization. Most of this information is known or should be known.
CONSIDERING THE HUMAN FACTOR
Human Factors: A Guide to Action, a booklet published by ExxonMobil, explores how gaining an understanding of human factors is key to achieving its goal of zero safety, health, and environmental incidents. The report is a study of how human behavior influences and sometimes causes failure or error, and what to do about it. Minute details such as the strengths and weaknesses of various seating arrangements around a refinery control panel are evaluated and discussed. Exxon is concerned with precisely how to tailor controls to the reality of the workplace and the physical and social needs of people in carrying out their responsibilities.
In the accounting and auditing world, organizations rely extensively on humans to perform internal controls such as segregation of duties, account reconciliations, and user passwords and to provide supervisory approvals. But published research on the effectiveness of various types of internal controls dependent on human behavior is virtually impossible to find. For example, how long, on average, and under what circumstances, will two people charged with segregated duties actually continue to do so? When will social and work pressures prevail and cooperation trump segregation? On average, what is the effectiveness of a supervisory approval on a form? Does the average supervisor really look at, or even understand, what he or she is signing on a typical journal entry? How much credence should be placed on an approval signature? What are the precise factors that will deter employees from reporting wrongdoing when they see it? What can be done to make these controls work effectively? What controls should be abandoned? Meaningful research on these topics is not available.
In the safety, quality, and environmental arenas, new tools, procedures, or controls are implemented only after gaining an understanding of how they are impacted by, and how they in turn impact, human behavior. The financial assurance profession recommends controls and expresses control effectiveness opinions with little research evidence as to what constitutes "effective control." Internal auditors are in a unique position to study and conduct research on the human factors in internal control, compliance, and governance.
OPPORTUNITY KNOCKS
The popularity of corporate responsibility reports is on the rise. Companies are seeking the development of assurance standards to guide independent opinions on corporate responsibility reporting. Both the International Standards on Assurance Engagements (ISAE 3000) and the AA100 Assurance Standard (AA100AS) are aimed at the full range of corporate responsibility reporting as it currently exists. Both seek to guide external auditors in providing an audit opinion on these reports. The internal audit profession has an opportunity to both influence these standards and to develop appropriate standards for internal auditors in performing similar work.
Corporate responsibility reporting on the areas of internal control, compliance, and governance is new; thus, reporting frameworks need to be created. Determining what should be reported and how is a new role for internal auditors.
To comment on this article, e-mail the author at bmccuaig@theiia.org.
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
