June 2011

A Smarter Compliance Process

 

A look at how one company uses control self-assessments to efficiently and effectively manage its Sarbanes-Oxley initiatives around the globe.

 

Aleksei Brizhik, CPA, CFE
Director, Internal Audit–SOX Compliance
AES Corp.

 

Cecilia Lobo
Senior Manager, Internal Audit–SOX Compliance
AES Corp.

 

Tae Yoo, CIA
Manager, Internal Audit–SOX Compliance
AES Corp.

 

Since the enactment of the U.S. Sarbanes-Oxley Act of 2002, many companies have struggled with the difficulties of implementing efficient compliance programs. Though challenging, a global company can transform a Sarbanes-Oxley compliance initiative into an efficient, dynamic, and valuable organizational program while minimizing the stress experienced by finance personnel.

 

 

AES, based in Arlington, Va., is a global S&P 500 power company that owns a portfolio of electricity generation and distribution businesses in 30 countries spanning five continents. AES operates in more than 100 locations, comprising utilities, generation plants, shared services hubs, branches, and representative offices where local finance and accounting staff can range from a small group to a few hundred. Establishing and managing an effective Sarbanes-Oxley compliance program at a company is a difficult task when the company operates across multiple locations, cultures, time zones, and reporting and regulatory environments. As part of a continuous effort to improve internal controls, AES has been transitioning from an autonomous accounting reporting structure with multiple financial platforms to a network of geographically consolidated regional hubs with one unified enterprise resource planning system.

 

 

Sarbanes-Oxley Section 404 requires U.S. publicly listed companies to file an internal control report with their annual and interim reports stating management’s responsibilities in establishing and maintaining adequate internal controls and procedures for financial reporting, and management’s conclusion on the effectiveness of these internal controls. Examining changes in timing of controls testing, appropriately determining the assessments’ scope, and continuously aggregating testing results can lead to a “smarter” way to comply with Sarbanes-Oxley regulations.

 
COMPLIANCE AT A GLANCE

The Sarbanes-Oxley Compliance Group, part of the internal audit department that is based at corporate headquarters, is organized by geographic region. To implement the requirements of Section 404, AES uses the U.S. Public Company Accounting Oversight Board’s (PCAOB’s) Auditing Standard No. 5 (AS5) and The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–Integrated Framework as guidelines. AES performs control self-assessments (CSAs) to assess the effectiveness of internal controls over financial reporting for compliance purposes, and incorporates activities including:

 
  • Quarterly process/control changes surveys through attestations certified by all financial officers (Sarbanes-Oxley Section 302: Corporate Responsibility for Financial Reports certification).
  • Sarbanes-Oxley Section 404 annual assessments (through testing and periodic assessment of aggregated control deficiencies).
  • Financial reporting internal audits with testing of internal controls related to audited areas as determined by annual risk assessments.
  • IT general controls (ITGC) testing (as part of CSAs at significant locations).
  • Entity-level controls testing, including segregation of duties and an anti-fraud assessment.
  • A corrective action plan program.
 

Historically, CSAs were performed each quarter and coincided with the financial quarter or annual close, causing the finance staff to deal with competing priorities and work long hours. The Compliance Group had to determine how to perform the CSAs without causing additional work for the local businesses. Beginning in 2009, CSA frequency was changed to three times per year with each cycle covering a four-month period. CSA testers are granted approximately one month to complete their testing and finalize the submission of results. Immediately after submission, the Compliance Group reviews the results, completes the control deficiency aggregation process, and communicates final results to the disclosure committee, executive officers, and the audit committee.

 

The AES Sarbanes-Oxley compliance process addresses each of the COSO components of internal control:

 
Control Environment

Process owners and department heads lead implementation of the annual Sarbanes-Oxley Section 404 compliance plan at AES with support from the Compliance Group. The Compliance Group’s geographic organization allows internal auditing to have a global presence and easily mobilize its resources. The Compliance Group is in charge of the administration of the CSA process and all Sarbanes-Oxley-related reporting requirements.

 
Risk Assessment

To establish the annual audit plan, internal auditing works with the Global Risks and Commodities Group to identify major risks AES can potentially face. The Compliance Group determines the timing and scope of internal control testing at the business units and corporate office based on risk assessment results and other considerations, such as the significance of financial results, prior internal control testing results, and significant changes in the business’ operations and structure, to ensure that all relevant risks have been addressed. In addition, the Compliance Group evaluates the CSA test results to validate the adequacy of test procedures performed and the conclusions rendered on the operating effectiveness of the controls.

 
Information and Communication

The Compliance Group also is responsible for managing the CSA component that addresses ITGC and works closely with IT management to identify critical applications throughout the organization for inclusion in the CSA. IT departments at each in-scope location are responsible for executing the testing and providing the results to internal auditing for review. This approach allows for individuals most familiar with the applications to perform the testing and provides IT with valuable insights into the strength of its internal control environment.

 
Control Activities

In addition to managing the execution and review of periodic CSAs, the Compliance Group is responsible for managing the CSA re-performance audits. As part of this process, internal audit resources at the hubs test and follow-up on the implementation of corrective action plans to address control deficiencies. These independent audits provide an additional level of assurance as to the testing results through validation of samples already tested and evaluation of additional/independent samples for select controls. The audits are performed at businesses, hubs, and corporate areas that are selected based on the risk profile and history of CSA deficiencies at each entity.

 
Monitoring

Senior management’s responsibility also involves continuous monitoring regarding the resolution of deficiencies and any changes that could affect the internal control environment. This includes communicating any changes in processes or controls and any issues affecting compliance with Sarbanes-Oxley requirements or corporate policies. Such communication is made either through quarterly Sarbanes-Oxley Section 302 certification or through other appropriate channels. Furthermore, AES uses the CSA process to support the quarterly Section 302 disclosure within the company’s 10-Qs and year-end 10-K. Finally, CSAs are used as one of the venues for the businesses to report control failures for inclusion in corrective action plans.

 

CSA testing results are captured in a Web-based application where testers upload their workpapers and document their conclusions. Testers are granted access to their specific business or hubs. The application contains a sign-off sheet where the performers and reviewer of the CSA must be identified. It also includes a page for documenting the assessment of process/control changes (attestation) that is used for analysis and support of Sarbanes-Oxley Section 302. Each financial cycle is separately tabbed for efficient testing of the respective controls. The application allows for customization of CSAs according to the applicability of controls to specific businesses (i.e., controls for generation companies vs. controls for distribution companies).

 
ADJUSTING OUR APPROACH

Due to the company’s global exposure and operations, the AES Sarbanes-Oxley program required some flexibility to appropriately meet its compliance requirements. The program has evolved into a dynamic and customizable approach that leads to a more efficient and effective assessment of internal controls. Two of the elements in our approach that have been subject to this evolution and adjustment are scope and aggregation of control deficiencies.

 
Scope

When the CSA process was first implemented, AES tested a single set of controls (scope) at every operating business. Consideration of size, risks, industry, and complexity of the businesses were not factored into the CSA scope, and the Compliance Group realized this one-size-fits-all approach was costly and time consuming. If the CSA process was to be improved, it had to address the following issues:

  • The creation of regional hubs both transferred and consolidated key accounting functions to the hub level, eliminating the need to test some controls at the business level.
  • Many entities participating in CSA reviews were quantitatively immaterial but still were fully tested.
  • Certain accounting processes were immaterial or irrelevant to a given business, yet were still being tested.
  • Small businesses with limited resources struggled with the level of effort required to conduct CSAs; the main difficulties were the frequency of the CSAs (quarterly) and the volume of controls tested each quarter.
  • Accounting personnel reductions caused by hub transition and economic downturn at many AES businesses hindered their ability to perform effective and timely CSAs.
 

Today the CSA process is customized to address the unique risks and control environment of the various business types that make up AES. The different categories of CSA scope include:

 
  • Full CSA. Performed at businesses that are quantitatively and/or qualitatively significant (i.e., historically had many control deficiencies).
  • CSA “Light.” A customized scope performed at businesses with certain functions that were moved to the regional hubs and are quantitatively and/or qualitatively not as significant.
  • Equity Affiliate CSA. Focuses on testing AES monitoring and core financial reporting and accounting controls over the company’s equity affiliates, businesses where AES has influence, but not control.
  • Corporate CSA. A full-scope CSA designed to test a set of controls unique to corporate functions such as financial consolidation and reporting, tax provision, and long-term compensation.
 
Aggregation of Control Deficiencies

The examination of control deficiencies is critical to understanding an organization’s weaknesses, analyzing the root causes, and implementing and monitoring remediation actions to improve the control environment continuously. The impact of control deficiencies on a stand-alone basis could be viewed as short-sighted without a broader consideration of how deficiencies impact AES collectively. Effectively aggregating the control deficiencies can yield improvements in the organization’s control environment and should be a top priority for senior management.

 

At AES, deficiencies are identified through four primary sources: the CSA, internal audits, external audits, and an analysis of the summary of accounting adjustments. All four sources serve as arteries to the assessment of the control environment that supplies vital information, including indications of possible errors and lack of adherence to policies and procedures. The same four sources feed into an overall aggregation process that produces a comprehensive list of control deficiencies that impact the company. Thus, the aggregation process provides a “scorecard” that helps identify areas where the risk of noncompliance and significant financial impact resulting from control gaps and exceptions is higher. Communication is a key factor that helps to avoid duplication of efforts. For instance, if deficiencies have already been identified and evidenced through internal audits, the other three sources will help monitor the correction of the exceptions rather than reporting the same errors. Therefore, having these four different sources of information joined through the aggregation of deficiencies process provides efficiency in testing and reporting.

 

Aggregation is performed after each CSA testing period and initiated with each Sarbanes-Oxley manager collecting, reviewing, and producing a consolidated list of deficiencies sourced from the four primary sources for their respective regions and businesses. Each deficiency is reviewed and assessed to determine whether the root cause is attributed to a control deficiency and what, if any, potential financial impact exists.

 

Regional summary reports of aggregated deficiencies feed the master aggregation file that becomes the baseline for a consolidated report of deficiencies to management. Deficiencies are categorized by the nature of the exception, evaluated both individually and collectively, and aggregated across all businesses. Additionally, the Compliance Group determines whether the issue escalates to levels that would trigger further qualitative analysis or whether the company has a significant deficiency or material weakness. A summary of the aggregation of deficiencies is presented to the Disclosure Committee, members of the executive office, and the Audit Committee for consideration before issuance of the 10-Qs and annual 10-K.

 

All subsequent aggregation after the first CSA is rolled forward until the third and final CSA is completed at year-end. Deficiencies determined to be remedied after retesting are removed from the aggregation to represent the current state of all deficiencies identified throughout the year. A continuous aggregation process affords us the advantage of projecting problematic areas or trends that management needs to address timely.

 

Although there may be other methods to aggregation, the processes we use ultimately provide AES with a clear picture of the control environment to concisely define the
deficiencies, analyze the root causes, and develop appropriate remedies to prevent such issues from occurring in the future.

 
LEARNING TO ADAPT

Sarbanes-Oxley compliance requires time to adapt to changing environments and effort to be open-minded to new strategies that better fit with the organization. Modifying the timing and scope of controls tested are good examples of how audit shops can evolve their Sarbanes-Oxley initiatives to achieve greater success.

 

Continuous monitoring of our internal stakeholders’ needs revealed process improvement opportunities that led to enhanced effectiveness and efficiency of our Sarbanes-Oxley program. Course changes included the periodic reassignment of CSA testers based on roles and responsibilities to ensure greater tester independence, and the issuance of workpaper templates with standardized testing procedures for testing and documentation consistency. Other notable modifications to our approach include the customization of CSA test plans per unique needs and type of business (e.g., generation, distribution, holding company, equity affiliate), and the annual rationalization (consolidation) of controls to reduce redundancy and eliminate noncritical controls from being tested.

 

The shift of testing to off-quarter close periods allows personnel to concentrate on performing the CSA testing more diligently and effectively with less stress. Furthermore, business units and corporate departments now have the opportunity to complete testing of their quarterly and monthly controls before the year-end close, leaving only a few annual controls to be tested during January of the following fiscal year. As a result, the Compliance Group is now able to dedicate more time to meaningful review and accurate aggregation of deficiencies. The results of these changes led to more timely and efficient analysis and reporting of control deficiency aggregation, thus providing the ability to react and correct control weaknesses before they become deficiencies with significant financial and compliance impact.

 

The new multiscope CSA approach allows AES to recognize both greater efficiency and broader coverage with regard to its internal control assessment program. After the first year of implementing the multiscope CSA program, the company has experienced:

 
  • Improved resource allocation at businesses and with the Sarbanes-Oxley Compliance Group.
  • A CSA process that is aligned with the new hub structure.
  • Time and cost reductions while allotting greater attention toward problematic processes and controls.
  • Greater cooperation from process owners and testers.
  • Continued assessment of the most critical controls and risks at smaller AES businesses.
  • A culture of strong processes and internal controls across AES businesses, regardless of size.
 

Our CSA process and best practices provide a value proposition to our organization and key stakeholders that are worth consideration. Internal auditors should recognize that by being flexible with timing and controls to be tested, companies can eliminate unnecessary stress and frustration related to the CSA process. Aggregating and communicating control deficiencies throughout the year helps remedy deficiencies before they result in major problems.

See the AES CSA Survey Questions and Schedule.

 

Sahba Yazdani, CIA, manager, Internal Audit–SOX Compliance at AES Corp., contributed to this article.

 



 

 

Online Exclusive Materials
Darlene and Aleksei, The links to the CSA Survey Questions and Schedule are at the bottom of the article.
Posted By: Shannon Steffee
2011-06-29 4:24 PM
Online Exclusive Materials
Darlene and Aleksei, The links to the CSA Survey Questions and Schedule are at the bottom of the article.
Posted By: Shannon Steffee
2011-06-29 4:23 PM
Information
For some reason I can't find the Survey Questions and Schedule either. Please send me your email and we will send them to you. Re: CSA application. It is designed in-house not a brand name.
Posted By: Aleksei Brizhik
2011-06-29 4:19 PM
Request for Information
Enjoyed reading this article and am interested in the "off-quarter" approach to the CSA process. The end of the hardcopy article states that AES' CSA Survey Questions and Schedule are available online at this site but I can't locate it. Can you provide it or point me to it? Also, what is the Web application used for the CSA process?
Posted By: Darlene Motsinger
2011-06-15 10:46 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP