Editor: Please tell our readers about your professional background.
Scofield: I began my career working on traditional audit and tax matters at a small firm in New Jersey. After 10 years I moved to a firm in New York and focused on technology integration with an emphasis on process improvement. The firm was ultimately acquired by American Express Tax & Business Services where I continued to work on technology, developing better practices for internal controls, software implementation, and application controls.
When Sarbanes-Oxley was enacted, I began to work on compliance programs with an emphasis on internal controls. Our consulting services practice was then acquired by RSM McGladrey for whom I have grown the risk management practice here in New York.
Editor: What impact will the recently released COSO* Guidance for Smaller Public Companies have on Sarbanes-Oxley compliance?
Scofield: The guidance issued in June 2006 is meant to be taken into account together with the original COSO guidance issued in 1992. There was a clear message that one size does not fit all when it comes to compliance. The original COSO guidance was difficult for smaller companies to apply because it assumed that smaller companies could implement the same controls that were required of larger companies. The COSO guidance for smaller companies provides a framework with more examples and tools that companies can use to establish good controls along with a functioning assessment process focusing on the risks within their organizations. These tools, such as the questionnaires and risk matrices, provide companies with an easier way to apply the concepts.
Editor: What recommendations do you have for your clients for testing controls to make sure that the controls are coincident with legal requirements?
Scofield: Accounting Standard #2 that was released by the PCAOB focuses on controls that are in place and operating as of the final date of the fiscal year. Notwithstanding this requirement, companies sometimes make the mistake of not testing those controls throughout the course of the year. An element of a strong control environment is one that ensures that controls are operating effectively throughout the entire year. Management in organizations with a risk-based approach would not be satisfied with just one review at the end of the year because it would not reflect that the control environment was working properly.
Editor: Why is the control environment so important to an effective compliance system?
Scofield: The COSO model has the control environment as the foundation for any successful compliance system. Having built a strong system for compliance on the control environment, then everyone within the organization knows what is important and understands its policies and procedures. Workers are more likely to act in the best interest of the organization because they know the consequences for not following those policies and procedures.
The corporate scandals that occurred were the result of companies that did not have the proper control environment, or the proper "tone at the top," in place. The importance of the control environment and the image that an organization gives to the outside world is critical - it cannot just be words. It must be followed up with actions. The concepts behind the "whistleblower policies" and code of ethics must be communicated to employees so they understand that management has strong ethics and wants those taken seriously.
When an external auditor discovers that employees within an organization do not know that a code of ethics exists, this is tantamount to acknowledging that the organization does not have an effective control environment in place. The same is true of organizations where employees perceive an environment where the ethical standards do not appear to apply to top management. Establishing the proper tone is something that every organization should do because it will convey the message that ethical behavior is something that management takes seriously.
With the proper control environment in place, management will want to implement a risk assessment strategy. They can then begin to understand the control activities that need to be in place to mitigate those risks. These three functions - control environment, risk assessment and control activities comprise the majority of what Sarbanes-Oxley requires.
Finally, there must be an effective monitoring program so that management knows that the controls are working properly. A mistake that companies often make is to view the implementation of a compliance system as a static goal. In order to be successful, a company must view compliance as a moving target that needs constant monitoring. Any change in the process must be followed by testing of the controls to ensure that they are still effective.
Building on those elements, the organization can then implement procedures to communicate and provide information to employees on what is expected of them.
Editor: Why is IT so important to the control environment?
Scofield: IT is pervasive throughout the organization; therefore, understanding its impact on corporate objectives is an integral part of COSO and Sarbanes-Oxley compliance. Management should implement general IT controls that focus on broad issues like security. Without these general controls, which state the company's policy for monitoring access rights to various applications, a company will not be able to guarantee their inclusion in each individual application.
Many IT professionals look to COBIT (Control Objectives for Information and Related Technology) for guidance on best practices because it looks at general IT controls and feeds them into each application. With the groundwork laid out (which sets policies and procedures, identifies the IT risks and filters up through the different business applications), an organization can implement business software applications that include the general controls.
When Sarbanes-Oxley was enacted, it seemed that smaller companies were going to be held to the same standards as Fortune 500 companies even though they did not have the same resources available. Since then, it has become clear that the focus needs to be on each company's own risks. After evaluating its risks, a company with significant IT risks will have to implement the proper controls to mitigate those risks while an organization that does not have the same IT risks will not need to make those changes.
Editor: How does a company test its controls, especially to prove to an external auditor that it has proper controls?
Scofield: A company needs to understand when it needs to set up and test controls. Quarterly testing may be too expensive for smaller organizations so they may need to develop their own testing schedules that make sense for them and that will provide accurate results.
Companies also need to understand what their external auditors look for. There needs to be an open discussion with the external auditors when first instituting new compliance efforts, so the company and its external auditors can be of one mind on the important key areas within the compliance framework. If the organization has hired an outside consultant, that party should be present during these meetings. The discussion will allow them to determine which controls need to be tested, when and how often that testing should occur..
The generally accepted methodology for testing is that most automated controls need to be tested once to show they work effectively. Manual controls need to be tested with a higher sample size because there is more risk for human error. An organization may want to consider process improvement in the manual testing area because the cost for testing automated controls is less than the cost for testing manual controls.
Editor: Does it make a difference whether the compliance function is handled by the legal department or a separate department within the organization?
Scofield: It depends on the organization. The current rules and regulations do not mandate who must be responsible for the compliance function so the company will need to determine which department is best suited to handle the task. Regardless of this decision, the person selected needs to have a voice and authority within the organization to get things done, have an understanding of the regulations and requirements and have strong project management skills.
Editor: What is meant by the term, "risk-based approach" and how does it influence the nature, timing and extent of testing?
Scofield: A risk-based approach looks at the risks found in each organization. There are financial reporting risks that are found in every organization which must always be mitigated. However, there are also risks that are unique to an individual company. Applying the same compliance system that exists in one organization to another may mitigate the common risks but will not reduce the risks unique to the organization.
If an organization determines that there are risks in important areas such as financial reporting, management will need to pay more attention to those areas. On the other hand, if a risk assessment indicates that particular risks, such as payroll risks are quite low, management should not focus their efforts there. With a risk-based approach, a company will test the high risk areas more and test the low risk areas less frequently. External auditors may also be able to rely more on the work done in the lower risk areas and focus on the higher risk areas.
Editor: How should professionals within the organization stay on top of new developments in accounting and financial reporting as well as ethics?
Scofield: The key here is awareness, involvement and interaction. Professionals should make time to learn about the latest developments by relying on seminars, industry magazines such as Compliance Week or the CPA Journal and communicating with their peers in similar industries. Take advantage of white papers and web sites of the experts in the field. Going to a full day seminar is an excellent way to make connections, network, and to identify the organizations that are similar to your own. * COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission, frequently referred to as the Treadway Commission.
Published December 1, 2006.
