20 October 2006

SOX 404: Auditors vs. Empowered Employees...

In the November/December issue of Corporate Board Member 100 Board Directors have sounded off. The PricewaterhouseCoopers Survey on "What Directors Think 2006" asked some tough questions and got some revealing answers.

How effective is your board at monitoring the company's "Risk Management Plan?

Very Effective - 12%

Effective - 47%

Somewhat Effective - 36%

Would you like to spend more, less or the same time on Sarbanes-Oxley Section 404?

The Same - 64%

Less - 33%

More - 3%

If we try to interpret what these two questions mean in relationship to each other we guess it makes sense. Almost two thirds of the Board Directors polled want to spend more time on Section 404 and at the same time are saying that they are not very effective at managing the company's risk management plan. Logical? The Board of Directors are looking for answers in the wrong places, the auditors.

The company’s external auditor must report on the reliability of management's assessment of internal control (Section 404).

Colossal and recurring external auditor failures around the world regularly demonstrate the difficulty of providing opinions on the reliability of financial statements. Positive audit opinions are regularly issued on materially false financial disclosures in spite of the fact that the U.S. has developed thousands of pages of rules on how they should be prepared to “fairly” present the company's financial status. The difficulty of providing an opinion or an assertion that internal control is “adequate” or “effective” to ensure the reliability of external financial disclosures is exponentially greater. There are very few guidelines to help auditors decide when there are “adequate” internal controls. Field research done by CARD®decisions with hundreds of groups of senior level internal audit and management personnel has consistently demonstrated that, given the exact same circumstances in a case situation, few groups and few individuals in those groups agree on the combination of control elements from a predetermined control design menu that would provide an “effective” or “adequate” level of control. This is true in spite of the fact that internal audit departments around the world routinely give opinions to clients on whether the clients’ internal controls are “adequate”. It takes very little applied research to demonstrate conclusively that audit opinions on what constitutes an “adequate” level of control involve a huge amount of highly subjective judgment. These findings suggest that reporting these highly subjective opinions on whether controls are “adequate” or "effective" to key stakeholders does not meet the goals of comparability, reliability, and repeatability, key criteria for sound assurance and audit methods.

The Basel Capital Accord II is the first breath of fresh air on the modern management systems for identifying and controlling process variability and driving down errors and rework. Although Basel has clearly recognized that a risk focus is far superior to a fixation on controls compliance, the management and the Board of Directors hasn't figured that out just yet. When they do, they will be calling in their favors from the legislators.

Really understanding and documenting the processes that feed the disclosures and reporting has to begin with each employee and manager owning it and understanding it themselves, not just internal audit or the external auditor. Only then will the employees become more aware and capable of detecting where controls need to be turned into Total Quality Management objectives.

The Board of Directors only has to look at the risk management accumen of the middle management ranks to really get an accurate "litmus test" of the effectiveness and the adequacy of the companies overall Enterprise Risk Managment (ERM) quality score. This is where the true health and the resilience of the company can be found to verify or question, SOX 404.

No comments:

Post a Comment