Seven Actions a CEO Should Take Before Certifying the System of Internal Controls

by Scott Green, CPA

Beginning in November of this year, CEO’s will certify that their system of internal controls will provide reasonable assurance regarding the reliability of financial reporting and the preparation of the financial statements for external purposes.  Most companies have been preparing for this by hiring consultants, convening project teams, documenting and evaluating processes, and addressing control weaknesses.  But what happens after the project team disbands, consultants leave and the regulatory focus on Section 404 of the Sarbanes-Oxley Act gives way to other priorities?  The CEO still puts his career, personal wealth, and even freedom on the line every time he or she certifies the company’s internal control structure. How do you know that controls continue to operate?  Where should you focus your limited time to ensure your internal controls will continue to provide reasonable assurance of financial reporting reliability?
CEO’s are different from other managers.  Their toolkit must be general and yet highly developed.  They are no longer simply product experts, service providers, marketers, technologists, financial specialists, operations experts, risk managers, or behavioral specialists; they are all of these. They may have reached the pinnacle of their company by excelling in one field or specialty, but their ability to simultaneously manage many different functions and issues within time constraints is what separates them from other managers. Vision is often cited as the most important attribute a CEO can have, and I agree with that assessment.  But the world is full of visionaries that can not execute. No, the difference is more complex than simply owning vision.  The difference is the ability to manage very different functions, people and constituencies towards that vision.
Most CEO’s have long recognized the importance of actively managing corporate strategy and governance processes, human resources, marketing and financial functions, legal and regulatory issues, and technology strategy, but seldom did the discipline of internal control enter the picture until the passage of the Sarbanes-Oxley Act.  Now the principal executive officer, together with the principal financial officer, must certify that their internal control over financial reporting will provide reasonable assurance regarding the reliability of financial reporting and the preparation of the financial statements for external purposes in accordance with Generally Accepted Accounting Principals. Management’s assertions will be tested by the company’s external auditors and deficiencies publicly disclosed.  Material failure of the system of controls could lead to a fine of $5 million and up to 20 years in prison. That is reason enough for a CEO to add the internal control discipline to his or her skill set.  

A CEO need not become a control specialist. But to adequately understand internal control, it is helpful to understand how an auditor approaches control evaluation.  Whether they like to admit it or not, auditors are risk adverse. They approach every process with professional skepticism, they seek proof that controls are operating effectively, and then they thoroughly and completely document it.  It is likely that a CEO got to where he or she is by assessing threats and taking on risk, not avoiding it, so “learning” to look at a company from an internal control point of view means evaluating risk differently.  The CEO must now approach all financial reporting processes with professional skepticism.  He or she must seek proof, either through inquiry , observation or inspection of physical evidence that controls are indeed working. There are seven actions that every CEO can take to help obtain comfort that important controls continue to protect the company. These actions are not exhaustive, but will provide significant coverage of potential issues and reasonable assurance that controls continue to operate effectively.

Action 1 - Require Regular Management Reports Communicating Key Control Metrics
Controls have a way of failing if no one is watching. For every assertion in the financial statements, there should be an indicator, automated alert, or other procedure designed to help a manager determine how well the related control is working. The indicator might be a simple factor, such as the number of days lost to injury; a metric, such as the percentage of product defects; a list that details unavailable materials; an exception report that points out threats to a system, such as when an attempt is made to circumvent system controls; or even periodic reviews and testing in which an inventory count is made or system capacity tests are performed.

One of my favored control reports is a listing of all reconciliations performed, who is responsible for the reconciliation, the last time the reconciliation was completed, and the gross amount of reconciling items.  Not just cash reconciliations, but also system to system comparisons and physical inventory of assets to the books and records.  Reconciliations are a powerful detective control, and if done properly, can provide a great deal of comfort that the accounts are correct.

A listing of all critical controls supporting financial statement assertions should already exist if the company’s preparations for complying with Section 404 are nearing completion.  Have a report prepared that lists the critical controls identified during this comprehensive review, a description of the metric that measures performance for each significant control, the frequency of measurement, the current performance of that metric, and the benchmark or targeted performance.  A review of this report will tell the CEO what is being measured, where, how often, and how well the control is working.  Benchmarking is a terrific management tool that can help bring perspective to this raw data. There are many sources on which you can draw, both internal and external to your organization. The advantages of going the extra mile to develop external benchmarks are significant. External benchmarks help identify best practice, highlight performance gaps, and can help management identify sources of competitive advantage. Data that is developed independent of your company can provide a litmus test to the success of your organization. Since information can be dangerous if inaccurate, the CEO should make inquiries into those areas that are falling short of expectation.  The report should also be periodically audited either by internal audit or some other qualified person independent from those preparing the report to ensure it’s reliable.

Action 2 - Require Executives to Identify and Assess Changes to key Systems, Processes and People.
Change is the most significant threat to your recently completed control documentation project.  Change, whether to processes, people, or systems, must be monitored, evaluated and, where necessary, action taken to ensure controls continue to operate.  Segregation of duties is a common and basic control lever often deployed in organizations.   This lever divides tasks into discrete bits so that no single person can effect a transaction without the help of others. This is done by separating the custody, recording, and approval functions for any process. But if the process changes, that segregation may be lost.  Likewise, if a supervisor with unique and specific knowledge about a particular operation is no longer available, the approval function may become compromised.  

Changes to systems can also unintentionally alter or eliminate controls. A well-designed change control testing program will validate that controls are operating before the change is migrated into production.  Under such a program, no changes can be made to an active system without testing on a separate test server. And, then, the migration of new code into production is closely supervised.

CEO’s should require that managers document all changes to key processes, people and systems since the last certification.  This should include an evaluation of the impact of the change on the control structure.  For instance, was the change planned?  Does the change impact who performs the custody, recording and approval functions?  Is there still an independent reconciliation done to ensure all is operating as intended?  Were replacement personnel identified and trained prior to the change, or after? How does the manager know that controls are still operating? Has process documentation been updated?  These and similar inquiries will help the CEO gauge how well the transition was managed and the risk that controls have been compromised.


Action 3 – Require Managers to Sign-off on Their Financial Statements as Accurate
Requiring managers at all levels to approve periodic financial reports for there area of responsibility is a simple but powerful tool.  Rather than relying solely on financial personal to determine if everything is booked appropriately, why not include the analytical eye of those that run these businesses?  By requiring ownership of items booked to their area of influence, managers will take a closer look at what is there and that it appears correct.  The CEO should make it clear that he holds each manager responsible for the content of their financials.  Their signature represents ownership and accountability.

Action 4 - Identify and Evaluate Material Non-routine Processes
Financial systems normally handle a high volume of transactions from multiple sources, which must be captured, classified, and reported. Distinguishing between routine transactions and non-routine transactions or estimates can help a CEO focus on those areas that are at greater risk for error. In distinguishing between these classes of transactions, routine transactions are generally subjected to a more formalized control structure in order to handle the anticipated volume efficiently and accurately. Routine transactions might include payroll, cash disbursements, procurement, and so on. Non-routine data and estimates tend to be less common and more subjective, such as the calculation of income tax expense, estimating the allowance for doubtful accounts and determining pension liability. Controls over these types of transactions are typically less formal. More care needs to be given to the non-routine and estimation transaction control structure. Not only should the sources of data be mapped and evaluated, but assumptions, models, and advisors used to develop the estimates should be challenged and the results documented.  Have your financial team develop a list of non-routine sources of material information.  Understand the sources of this information, whether assumptions are aggressive or conservative, and if derived from a spreadsheet or other model, ensure a qualified person independent from the person operating the model has reviewed it from a technological and data quality standpoint.

Action 5 – Repeatedly Challenge Financial Reporting and Disclosure Policies
A CEO must gauge the aggressiveness of accounting policies and adequacy of disclosures in order to comfortably certify the financials. Although the number of possible disclosure omissions and financial presentation errors are many, CEO’s can focus their activities to where they will be most effective. While auditors look at all accounting policies, there are certain areas where financial reporting problems continually surface.  These include unsupported large top-side entries, aggressive revenue recognition; regular recognition of non-recurring charges; regular changes to reserve, depreciation,  amortization, or comprehensive  income policy; related party and off balance sheet transactions; complex products that few understand; under-funded defined benefit plans and footnote disclosures.  

Unsupported Top-Side  Entries -  Top-side adjustments are entries not automatically produced from the company’s accounting system; instead they are manually booked adjustments added “on top” of automated results by management. As discussed earlier, these would fall under the category of non-routine transactions.  Many of these adjustments are appropriate and ensure business activities are accounted for in the correct period; however, they can also be used to increase reported income or hide inappropriate actions.  CEO’s need to question material top-side entries and, if appropriate, review supporting documentation.  I can feel every CEO in the country cringing at the thought of reviewing accounting entries, but this action could keep you out of jail.  Much of the financial manipulation conducted at WorldCom was the result of top-side entries shifting expenses to the balance sheet.  Whether Bernie Ebbers knew or not is irrelevant.  He needed to know, and so do you.  Get an internal auditor or other accounting expert independent of finance to summarize material top-side entries and the strength of the support for the entry. Then discuss with Finance.  CEO’s should insist that they keep explanations simple. Finance professionals can easily bury a person with data. If they cannot explain an entry easily, then the adjustment is likely aggressive or improper. Keep digging.
Aggressive Revenue Recognition Policies  - Understanding when revenues are recognized is the first step to comprehending the quality of the revenue stream. Revenues of the highest quality are those that are booked after the customer has received, accepted, and paid for the product or service without any further performance requirement or contingency. A typical red flag for an auditor is revenue that is matched to future performance or expenses. Qwest Communications has stated that, between 1999 and 2001, it incorrectly accounted for more than $1.1 billion in transactions. Revenues were contingent on the purchase of fiber capacity and future services, but they were improperly booked as earned.  A CEO should evaluate alternative revenue recognition methodologies available to the company and ask the CFO why these were rejected in favor of the current practice. The revenue policy applied must have a sound business rationale that is easily understood.  

Ever-Present Nonrecurring Charges -  Companies are continually making provisions for future expenses, even if they are not sure of their exact amount. There has been an epidemic of merger, product return, lawsuit, obsolete inventory, and bad loan expenses that usually give rise to reserves or nonrecurring charges. There are many legitimate nonrecurring expenses — due to acts of nature, mergers, and asset sales. If your company regularly reverses reserves, such as reorganization expenses, back into operating income, it is likely that this activity has created inflation in reported results. A CEO should question his financial officers regarding:

  Why the charges are nonrecurring and not a part of normal operating income?  
  How the amount of the charge was determined and how accurate is it?
  What the likelihood is that all or a portion of the charge will not be used?
  What disclosures will be made regarding the charge in the financial statements?

These questions should be asked repeatedly until the CEO is comfortable with the answers.

Regular Changes To Reserve, Depreciation, Amortization, or Comprehensive Income Policy - Frequent changes in accounting guidance can also mask real financial performance. It is to be expected that the dollar amount of reserves will change with the business climate, but the method used to calculate reserves should not. If an increase in sales results in an increase in accounts receivable, then a corresponding and proportional increase in reserves and bad debt expenses would be expected. If there does not seem to be a direct correlation, CEO’s should challenge the consistency of the reserve calculation. Any change in methodology should be justified by long-term trends, not short-term needs.

Related-Party Transactions - Related parties are entities whose management or operating policies can be controlled or influenced by another party. A “conflict of interest occurs when an individual’s private interest interferes in any way, or even appears to interfere, with the interests of the corporation as a whole.” Such arrangements might benefit the company and may not be detrimental per se.  Where conflicts arise, they must be well communicated, managed, and subjected to detailed and unimpeachable oversight to ensure that stockholders benefit from doing business with the related party.  The CEO should be able to demonstrate this oversight.  What is clear is that “Employees, officers and directors should be prohibited from (a) taking for themselves personally opportunities that are discovered through the use of corporate property, information or position; (b) using corporate property, information, or position for personal gain; and (c) competing with the company.” A CEO needs to show that the company will not tolerate such actions through words and deeds. In coordination with the Action 7 attestation below, all executives and directors should be polled regarding their knowledge of related party transactions, personal or otherwise.  Oversight of transactions identified should be reviewed, determination made regarding the benefit to the company, and a disclosure in the notes to the financial statements produced. This would be best accomplished by a committee consisting of independent directors to demonstrate unimpeachable due process and reasonable assurance that such transactions are well controlled and monitored.

Complex Products - Some companies provide complex financial products, such as structured financial instruments containing derivatives, or use multifaceted hedging strategies that few understand. When a star performer produces complex products, few want to challenge this success or reveal that they don’t understand ow the system works. In the early 1990’s, neither Proctor and Gamble nor Gibson Greetings could price complex options sold by Banker’s Trust and, therefore, were experiencing unknown yet material losses on their positions. It is important that a CEO insist that managers or their employees map out complex products or strategies and that the strengths, weaknesses, opportunities and risks of the product or strategy are well understood.  Ensure that the market value of the product can be determined.

Under-funded Defined  Benefit  Plans - Although defined benefit plans are being replaced by defined contribution pensions, such as 401k plans, there are still many in existence. These plans can have a huge effect on a corporation’s net income. CEO’s need to review plan assumptions. Expected returns on plan assets in excess of 8 percent should be challenged. Only a plan that’s 100 percent invested in stocks would have a chance of exceeding an 8 percent return over time, and that is if past financial performance holds. The fact is that many pension funds have exposure to bonds and other lower-yielding instruments and will do well to earn 8 percent.  Even with the recent turnaround in the stock market, defined benefit plans continue to lose ground as obligations to workers have increased even faster than stocks have risen.  This could be due to more claims from an aging population or low interest rates magnifying the present value of benefits. If your plan is under-funded, the assumptions used should be well understood by your finance staff and independent actuaries and a plan for addressing this liability in place to ensure there are not undue shocks to the company’s cash flow.   

Footnote Disclosures – All executives and directors should be polled to determine if they know of any information that should be considered for disclosure in the financial statements.  Human resources might know of a possible diversity suit that the general counsel has not yet been made aware, the COO might know of a possible worker grievance gaining steam, or the CIO may have just learned that important technology utilized by the entity will not be supported next year. Accumulating this data is the important thing, rather than the source. Such communications should be encouraged rather than punished and, ideally, a committee of knowledgeable executives and board members can evaluate them and determine which should be disclosed.   A thoughtful process where management is properly informed and uses business judgment will go along way to demonstrating “reasonable assurance.”

Action 6 - Support Strong Internal Audit and Control Self Assessment Functions
The role of the internal audit department just became more important with the passage of the Sarbanes-Oxley Act.  Organizations can no longer afford weak audit functions.  Many organizations have their general auditor report into the CFO. The theory is that the CFO understands finance and control, so this reporting line makes sense. However, the general auditor must feel free to report issues to the CEO and board without reprisal. The CFO has such an important role in the control structure of a company that he or she can easily be conflicted regarding audit findings. The general auditor should report directly to the CEO.  They should partner to reducing the overall risk to the company’s control structure and, in the process, the personal liability of the CEO.  The audit department can independently aid with risk analysis, control testing, and corroborate much of the information discussed in this article.  They can also effectively aid the implementation of a company-wide control self assessment program passing on control assessment knowledge to managers throughout the entity. The more people you have evaluating the control structure, the more comfort a CEO can have during the certification process.

Action 7 – Require all Employees to Attest to Their Understanding of a Code of Conduct
Executives need to ensure that all employees understand not only their responsibility to adhere to good ethical principals, but also their obligation to report any related party transactions, conflicts of interest or other compliance issues through appropriate channels.  By having all employees annually attest to a code of conduct, management demonstrates that it takes the code seriously. Protocol for reporting suspected fraudulent behavior or grievances should be spelled out in the code of conduct as well as employee protections.  This will aid the flow of information to the CEO and the board.

     Seven Steps Checklist  
            
Action No.        Description                                                                                                                       Yes        No
1.                     A timely report of key assertion control metrics and testing results indicate that all are
                      working or that operational secondary controls mitigate the risk. This report has been
                      validated for accuracy by a competent, objective and trusted source.                 
2.                     All managers have evaluated changes to systems, processes and people since the last
                      certification. Documentation has been updated and impact on controls assessed and tested.                 
3.                     All mangers have approved financial statements for their area of responsibility as being
                      accurate.  Any issues raised by management have been adequately vetted.                 
4.                    All non-routine sources of financial information have been thoroughly reviewed and
                     assumptions challenged.                
5.                    The red flags of financial reporting have been vetted with the CFO and other board
                     members.                
6.                    Internal Audit and control self assessment reports are clear of any relevant assertion
                    deficiency.                
7.                   All employees have attested to their understanding of the code of conduct (ethics) in
                    the past 12 months.                 

Conclusion
While there has been unprecedented time, effort and money spent documenting, evaluating and improving internal controls, the nation’s CEO’s are rightly concerned about the on-going impact of the Sarbanes-Oxley.  Over time, the natural decay of the control environment can lead to personal liability.  It is risky for a CEO to rely solely on outside auditors, their CFO or others to identify deficiencies.  CEO’s need to add internal control evaluation skills to their managerial toolbox and ensure that processes are in place to detect atrophy and avoidance of key controls.  While not designed to be all-inclusive, the Seven Actions a CEO Should Take Before Certifying the System of Internal Controls can help focus activities and provide an early warning system so that problems are detected prior to the issuance of the financial statements. These actions will also demonstrate management’s commitment and control competence to employees and external audiences such as the company’s public accountants. Such measures benefit both the company and the executive by ensuring that the systems of internal controls continue to protect the company and, as a result, limit the personal liability of the CEO.

Copyright 2004 Wiley Periodicals