You are here

The Changing Focus on Internal Controls Over Financial Reporting

Since the issuance of Part 363 of the FDIC rules and regulations, and the passage of the Sarbanes Oxley Act, significant attention has been paid to an entity’s internal control over financial reporting (ICFR).  This attention has increased over time in light of certain business failures and cases of fraudulent financial reporting, and ICFR has never been under as much scrutiny as it is today.  As a result, regulators, auditors and boards of directors are asking management a myriad of questions related to ICFR, such as:

Do you have them?  Of course you do.

Have you documented them? Of course you have.

Is the documentation complete and representative of what is actually happening in your institution?  Well…for the most part. 

Are your controls effective?  You think so.

Can you prove it?  Maybe not as well as you think.

Why Should Management Be Concerned?

In addition to technological advances that continually change operating processes, and the increasing complexity of financial reporting, there is a lot to consider with regard to the adequacy of controls.  But today there is enhanced scrutiny over “management review controls.”  What are they?  They are just as described.  Within many control processes, management is reviewing specific transactions, documents, reports or financial statements to prevent or detect errors or misstatements.  This review is generally evidenced by the reviewer signing off either manually or electronically.  The Public Accounting Oversight Board (PCAOB) in Audit Practice Alert No. 11 indicates that “verifying that a review was signed off provides little or no evidence by itself about the control’s effectiveness”. 

As a result, it is important to understand what is behind the sign-off.  For instance:

  • What is the objective of the review?  It is not uncommon for the person performing a review to have a control objective that is different from (or less than) what others believe to be the objective of the review.  For instance, with regard to an account reconciliation, is the reviewer simply ensuring that a reconciliation has been completed and there appear to be no unusual items?  Or is the reviewer completing a check of mathematical accuracy, agreeing balances used in the reconciliation to supporting information, verifying the validity of reconciling items and determining whether adjustments require posting?   Documenting the nature of the procedures to be performed in procedural manuals, and requiring documentary evidence of the review procedures on the actual documents/reports being reviewed (i.e. tick marks and notations),  will serve to enhance the evidence of the review.
  • Is the reviewer qualified to perform the review, and does he/she have the authority to challenge the information being reviewed?  A highly effective review control can only exist in an environment where a person has the requisite skill set to review and understand the information, and the authority to challenge incomplete or incorrect information.  As a member of management, it is important for you to ensure that the tone at the top of the organization fosters a strong control environment; one that allows for transparency and effective communication.
  • What is the frequency of the control and the review?  Do they occur often enough to prevent or detect misstatements in a timely manner?  Preparation and review procedures should evidence the date of performance.
  • What information is used in the review?  Is it system generated or manually prepared?  Either way, controls over financial reporting should be focused on the completeness and accuracy of information generated.  System generated information requires a focus on information technology general controls, such as those related to system access, change management and file maintenance.  Manually prepared information requires a focus on the source of information as well as its mathematical/spreadsheet accuracy.  This distinction relates not only to the nature of the review required,  but to the complexity of the review. 

It is 2017 – Do you Know Where Your Management Review Controls Are?

Reviewing your ICFR documentation and highlighting management review controls is an effective exercise.  Are the controls where you expected them to be?  Should any controls be added or deleted?  Most importantly, can you answer the questions above?  You are likely in a position where you have just completed your internal control documentation and testing for 2016.  As a result, these concepts should be familiar to you.   It’s an appropriate time to re-evaluate!