Editor: Why is the control environment so important to an effective compliance system?
Scofield: The COSO* model has the control environment as the foundation for any successful compliance system. Having built a strong system for compliance on the control environment, then everyone within the organization knows what is important and understands its policies and procedures. Workers are more likely to act in the best interest of the organization because they know the consequences of not following those policies and procedures.
The corporate scandals that occurred were the result of companies that did not have the proper control environment, or the proper "tone at the top," in place. The importance of the control environment and the image that an organization gives to the outside world is critical - it cannot just be words. It must be followed up with actions. The concepts behind the "whistleblower policies" and code of ethics must be communicated to employees so they understand that management has strong ethics and wants those taken seriously.
When an external auditor discovers that employees within an organization do not know that a code of ethics exists, this is tantamount to acknowledging that the organization does not have an effective control environment in place. The same is true of organizations where employees perceive an environment where the ethical standards do not appear to apply to top management. Establishing the proper tone is something that every organization should do because it will convey the message that ethical behavior is something that management takes seriously.
With the proper control environment in place, management will want to implement a high risk assessment strategy. They can then begin to understand the control activities that need to be in place to mitigate those risks. These three functions - control environment, risk assessment and control activities comprise the majority of what Sarbanes-Oxley requires.
Finally, there must be an effective monitoring program so that management knows that the controls are working properly. In order to be successful, a company must view compliance as a moving target that needs constant monitoring.
Editor: How does a company test its controls, especially to prove to an external auditor that it has proper controls?
Scofield: A company needs to understand when it needs to set up and test controls. Quarterly testing may be too expensive for smaller organizations so they may need to develop their own testing schedules that make sense for them and that will provide accurate results.
Companies also need to understand what their external auditors look for. There needs to be an open discussion with the external auditors when first instituting new compliance efforts, so the company and its external auditors can be of one mind on the important key areas within the compliance framework. If the organization has hired an outside consultant, that party should be present during these meetings. The discussion will allow them to determine which controls need to be tested, when and how often that testing should occur.
The generally accepted methodology for testing is that most automated controls need to be tested once to show they work effectively. Manual controls need to be tested with a higher sample size because there is more risk for human error. An organization may want to consider process improvement in the manual testing area because the cost for testing automated controls is less than the cost for testing manual controls.
Editor: What is meant by the term, "risk-based approach" and how does it influence the nature, timing and extent of testing?
Scofield: A risk-based approach looks at the risks found in each organization. There are financial reporting risks that are found in every organization which must always be mitigated. However, there are also risks that are unique to an individual company. Applying the same compliance system that exists in one organization to another may mitigate the common risks but will not reduce the risks unique to the organization.
* COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission, frequently referred to as the Treadway Commission.