Fat risk, lean controls.
“That’s what Bruce McCuaig said SEC guidance and Public Company Accounting Oversight Board standards should be looking for—risk in this case being the rigorous inventorying of compliance risk. It’s not what he found.
McCuaig, chief risk officer for governance, risk, and compliance software firm Paisley, did some word counting recently. In particular, he sought out the ratios of the words “risk” and “control” in Basel II, Australia New Zealand 4360, PCAOB Accounting Standard No. 2, and the PCAOB AS5 that supersedes it. …
McCuaig boiled down his fat risk/lean control idea into 10 essentials for internal control over financial reporting with AS5. The steps:
1. Develop precise, lean entity-level controls. Such controls are more detailed than those offered by the likes of COSO, McCuaig said, and probably already exist in well-run businesses, though perhaps not in the accounting function. A lean control involves management monitoring, process-owner testing, and self-assessment.
2. Ensure a lean, strong control environment. McCuaig described this as “hardening” the control environment. Doing so involves developing detailed criteria to identify and assess all elements of a control environment, identify and report issues, and seek out and deal with bad behavior.
3. Use fraud risk scenarios. McCuaig said companies should know precisely how they would counter any number of not-good scenarios, including executive pressure for “creative” accounting, altered shipping dates, major debt-covenant breaches or the creation of fake customers. They should be confident enough in that knowledge to present it to the board of directors.
4. Assess the risk associated with period-end processes. Forty-one percent of deficiencies stem from problems with periodic financial processing, McCuaig said. Stanching the flow requires a much more detailed consideration than in the past, including the “fat risks” of incorrect calculations; incomplete, invalid, or missing transactions; cut-off errors; and incorrect interpretation of regulations, among others.
5. Focus on significant accounts. Account size is only one consideration, McCuaig said. Risk factors include the exposure to losses, the volume and complexity of activity, the use of the account—is management compensated based on how much money is in it?—and error history, he said.
6. Assess significant risks. For significant accounts, what can go wrong? What could happen if a significant account were misstated? Controls should be assigned only after a consideration of specific risks, and the probability of the risk happening, he said. Risk assessment should be the job of the company itself, and not external auditors who almost always lack the insight to do a proper job, McCuaig said.
7. Limit relevant assertions. Anybody with a keyboard can create an assertion these days, McCuaig said. Relative risk must come into play. He suggested applying a “reasonable possibility” test to assertions, and a senior executive should approve all assertions. Only 20-25 percent of assertions pass that test, he said; those that don’t should be removed from Sarbanes scope.
8. Identify significant locations. As with significant accounts, the largest location may not be the most significant. Companies should consider the quality of an internal control, the susceptibility to fraud, and the number and type of employees, among other factors.
9. Assess the risk associated with IT general controls. IT generates perhaps 5 percent of deficiencies, McCuaig said. “There’s a huge amount of work being done, but I’m not sure how much of it should be for IT,” he said. In general, he would rather focus controls on people than systems, he said.
10. Keep score—track deficiencies. This involves tracking deficiencies, identifying concentrations or absences of them, addressing root causes, and developing a deficiency reporting policy, McCuaig said.”