One quip attributed to Yogi Berra, the oft-quoted Hall of Fame catcher for the New York Yankees, applies here: “It's amazing what you see when you look.” I am sure many misstatements and frauds are overlooked because of faulty risk assessments that do not indicate an observable risk. All the more reason not to shortcut the process of gathering evidence to support low-risk assessments and periodically reexamining decisions about risks. For example, in 2004 and 2005, few companies or auditors included the stock option granting process in their controls assessments. In the past it was not on the radar screen for substantive audit testing, either since it seemed to be a rather low-risk area or was subject to written corporate policies and clear accounting rules and was not generally noted as a risk area. There was no explicit exclusion of this process in the Sarbanes-Oxley (SOX) Act or any other guidance. Well, what followed was a discovery by an outsider academic (Dr. Eric Lie) of a widespread “fudging” of the stock option dating process to favor the executives receiving the options. Companies and their auditors were embarrassed by the discovery. For sure, this is not a forgotten process these days.
As you perform this analysis, you may wish to review your conclusions with your independent (external) auditor to see if your reasoning is on target with his or her expectations. Having to expand a project late in the year can be both annoying and expensive. In one case I can recall, a reluctant client with an attitude started with a proposed scope of coverage that was far less than any reasonable estimate of the required scope under the standards and kept coming back time and time again with proposed incremental increases, becoming angrier and angrier that the scope had to increase and never understanding that the better answer was to start at the other end and exclude trivial and low-risk aspects of the entity. In the end, the same result would have been achieved by starting with a broad scope, with the side benefit of decreased blood pressure for all involved.
After the Initial Year
It does not hurt to think longer term. The first year of documentation requires a significant commitment of time and effort. You may prioritize the core that needs to be included in year 1. However, in subsequent years, you should consider whether to expand the documentation process into a few other less significant areas. Additionally you should consider if your experience has offered a better way to document the core areas for more efficient update and assessment in the future. Once you have the internal experience in doing the documentation and assessment, you will find these procedures do not take long to perform, and you may conclude that unexpected benefits and efficiencies can be gained from digging into the business at this level. Many entities are today following the same documentation paths in some core areas that were established early on when first documenting processes and controls.
A frequent opportunity that is missed to reduce costs and attain some benefits of the controls focus is to adopt an attitude of “continuous improvement” in the process and testing. Taking good ideas back from conferences or even examining best practices from within the organization can result in significant benefits. Auditors sometimes fall into the trap called SALY (same as last year), which creates a false sense of efficiency when changes occur in the business.
Also frequently encountered and a contributor to higher-than-necessary costs is the lack of training and learning on the part of today's assessment teams. It might be shocking, but many new college accounting major graduates have not had significant exposure to COSO or any of the issues discussed in this book. In the early days of increased attention to internal controls, one could understand this. Today, more than a decade later, not all of the professors and the texts they use have caught up with this important and durable topic. Some professors claim there is no room for the subject in their curriculum. Also shocking are the number of company employees who are expected to learn on the job by following their predecessors' practices. Without some global understanding of this whole COSO process, how could one expect to figure it out from just following specific procedures? Since the approach is conceptual and not prescriptive, some level of conceptual understanding is essential to effective implementation. We are all familiar with the parlor game where a thought is shared around the room and morphs in meaning as the message is passed. Such is the nature of some on-the-job training unless supplemented by consistent, effective structured training.
Mapping the Entity to the Financial Statements: Ins and Outs
In the last section, we illustrated a technique for using revenues to identify the core of the entity for documentation and assessment. A further suggestion would be for the controls documentation project manager to make a template of accounts and balances based on the recent financial statements. Both the balance sheet and the income statement are relevant, so include them along the left column of a multicolumn spreadsheet. In most financial reports, the detailed accounts listed in the consolidated auditor's report are material in amount, or else they likely would have been summarized in some way. Enumerate them in the spreadsheet. Decide on some meaningful way of expressing the different parts of the business across the top rows: say, by segments/divisions/locations/types of revenues, and so on, that describe your entity. (I will call these “segments” for discussion purposes.) Leave a column between each segment. Now, using data relating to each of the identified segments, break out the aggregate consolidated numbers into the individual segments. In some commercial companies, there exist sales subsidiaries for which a sales activity is the only activity associated with the location; order fulfillment and other activities are accounted for elsewhere. In such entities, do not be surprised if some such segments only have one relevant or significant process or transaction cycle (sales to cash).
Have the spreadsheet compute for you the percentage of the consolidated total of each segment. What you should see emerging from this analysis is the ability for you to identify the central core of your entity. You may wish to give special consideration to the implications of transactions (or transfers of costs and revenues) between segments (if there are any) when they are present, even though they may be eliminated during the consolidation process.
In Table 2.2, the financial statement data is used to identify those accounts and cycles that are to be included in the scope of the documentation and assessment project.
Table 2.2 Using the Financial Statements to Set the Scope – Summary Categories
This example shows summary financial data only as an illustration. The New York location is a headquarters and a first-stage manufacturing center; sales transactions are conducted out of the Connecticut facility, which finalizes the product to specifications for shipment. By including the assets and liabilities and expenses at corporate and the revenues at the primary sales location, most of the core business can be covered. The income row is not a very meaningful one from which to make inclusion or exclusion decisions in this example; however, it may be in some situations. Note that in the Barings Bank implosion, the previously significant Singapore-based contributions to consolidated earnings from trading currencies originated from a tiny operation, one that would not be detectable if assets were used to determine scope. The same was true with Orange County, CA, where the profits (before the collapse) from interest rate derivative trades were far more significant than any associated fixed assets or even expenses. Even in the areas that are not identified as the core, a risk assessment, some documentation, and some analysis regarding key controls may need to be developed, since the amounts in the noncore areas are not often trivial.
Do not be surprised if the largest revenue and the largest cost contributors are not in the same segment or location. The key is to look at the entity as a whole and identify where the revenues and costs are accumulating. In some universities, revenues (e.g., day tuition, graduate tuition, night school tuition, fees, etc.) are meticulously segregated, but the costs of undergraduate, graduate, and distance learning faculty may be all accounted for in the aggregate and not separated. In a municipality, the budget may also be an excellent tool for risk assessment and scoping.
You may have to slice and dice your entity several different ways (e.g., product line, location, revenue type such as cash sales and Internet sales) in order to find a logical entity profile or use these different perspectives in ensuring all important areas