WIXLIB

Refocus your managementreview control lensImprove your ICFR program byresolving common challenges

Refocus your management review control lens Improve your ICFR program by resolving common challengesRefocus yourmanagement reviewcontrol lensImprove your ICFR program by resolving commonchallenges to management review controlsWhile anniversaries are usually an opportunity to celebrate and reflect on accomplishments, the Sarbanes-Oxley (SOX) 15-yearanniversary this past July did not follow that trend. Instead of celebration, the 15-year reflection was met by several observationsfrom management: The cost of compliance is too high Internal Control over Financial Reporting (ICFR) programs lack modernization Regulators continue to focus in ICFRWe believe that one driver of the high cost of compliance is the continued challenges related to management review controls (MRCs).MRCs have been cited by the Public Company Accounting Oversight Board (PCAOB) as an auditor area of focus each year since therelease of the October 24, 2013 Staff Audit Practice Alert No. 11. Management is also challenged by MRCs, spending time and resourcesto address continued control deficiencies, significant deficiencies or material weaknesses and answer questions from auditors to meetregulatory expectations.We believe that the solution is in management’s hands and involves refocusing the lens by modernizing the ICFR program throughimplementation of leading practices, innovation, and technology to increase the level of precision of the MRCs control performanceand enhance the testing approach. Ultimately, these actions may serve to reduce the cost of compliance and increase the reliability offinancial reporting.Effective internal controls are also good for business. As Wesley R. Bricker, SEC chief accountant, stated in his December 4, 2017, speechat the 2017 American Institute of Certified Public Accountants (AICPA) Conference on Current SEC and PCAOB Developments:”Well-run public companies have effective internal controls not just because internal controls are a first line of defenseagainst preventing or detecting material errors or fraud in financial reporting, but also because strong internalcontrols are good for business and can have an impact on costs of capital. It is important for audit committees,auditors, and management to continue to have appropriately detailed discussions of ICFR in all areas—from riskassessment to design and testing of controls, as well as the appropriate level of documentation. If left unidentified orunaddressed, internal control deficiencies can lead to lower-quality financial reporting which can ultimately lead tohigher financial reporting restatement rates and higher cost of capital.“In this point of view, we will explore how management can refocus their internal control lens related to MRCs by providing insightsregarding select pillars of success, common challenges, and how world-class organizations are modernizing and renewing their focusinto the ICFR program. We believe these insights can provide a roadmap for management that may increase the reliability of financialreporting while decreasing the related cost of compliance.

Refocus your management review control lens Improve your ICFR program by resolving common challengesWhat areMRCs?Examples of MRCs include, but are not limited to, reviews of:Any analysis involving anestimate or judgment.Comparisons of budget to actual.Financial results forcomponents of a group.Fair value estimates.Transactional activity processedby a company’s IT system.The impact of adoption of new accountingstandards (e.g., revenue recognitionor lease accounting) or new legislation(e.g., 2017 Tax Cuts and Jobs Act).Accounting for infrequenttransactions or events.“Management review controls are the reviews conducted by management ofestimates and other kinds of information for reasonableness. They require significantjudgment, knowledge, and experience. These reviews typically involve comparingrecorded amounts with expectations of the reviewers based on their knowledge andexperience. The reviewer’s knowledge is, in part, based on history and, in part, maydepend upon examining reports and underlying documents.”– John Fogarty, Retired Partner, Deloitte & Touche LLP2

Refocus your management review control lens Improve your ICFR program by resolving common challengesWhat is so challenging about MRCs?There are multiple challengesassociated with MRCs, most of which areinterconnected. This interconnectednessprovides a challenge, because like adomino, if one falls, the others are sureto follow. It’s the same concept withMRCs: if one of the select pillars fail,the other pillars will be impacted.We believe the select pillars that can serveto increase the level of precision of MRCsand enhance the testing approach arepeople, data quality, risk identification,documentation, and control design. Belowis a summary of each pillar as well as thecommon root causes that challenge theintegrity of each pillar and leading practices.Why are people important?“Accounting personnel resources and competency/training” were citedas contributing factors in material weaknesses in 72 percent of adverseopinions, or 26 percent of internal control issues in those adverseopinions, for 2017 integrated filers. While allocation to MRCs is notspecified, the point is, insufficient competency, training, and resourcelevels are an underlying root cause of material weaknesses. While aprofessional may have impressive qualifications, the critical aspect isknowledge, experience, and competency in regard to their specificICFR role.Data is based on a download from the Audit Analytics website(www.auditanalytics.com) as of January 5, 2018 (Source Dates throughDecember 28, 2017). Data is limited to annual reports issued during 2017(based on Source Date of annual report).PeoplePeople perform the review of keyassumptions and judgments utilizing dataand information. Therefore, the foundationalpillar is ensuring ICFR responsibilitiesare assigned to individuals with theappropriate competency, authority, andknowledge for the MRC area and that thoseresponsibilities, as well as MRC complexitiesand challenges, are well understood.Common root causes that challenge theintegrity of the people pillar include: Lack of a documented baseline for theMRC activity in sufficient detail to establisha baseline understanding for those whoperform the control and those who testthe control (e.g., internal audit, SOX testers,and external audit; the “control testers”). Insufficient succession planning, training,and cross-training considerations aspeople frequently change roles andresponsibilities. Succession activitiesestablish the necessary expectationsto onboard those who may not havesufficient knowledge and competencyfor the specific ICFR role. In order forsuccession to be effective, the baselineunderstanding of the MRC, establishedthrough documentation, is required Insufficient number of resourceswho are stretched too thin, resultingin control performance issues.Leading practice solutions utilized by worldclass organizations include training anddocumentation policies as described below.Data qualityMRCs rely on information, such as data andreports, with reports either being systemgenerated or non-system generated (e.g.,spreadsheets and end-user computing(EUC)). For these reasons, controls overthe completeness and accuracy of thedata or reports used in the performanceof the control need to be identified andincorporated into the control activitydocumentation and tested. As the sayinggoes, garbage in, garbage out (e.g., if baddata is reviewed, the reviewer conclusion isineffective and may cause a misstatement).Common root causes that challenge theintegrity of the data quality pillar include: Data and reports used in theMRC are not identified and aretherefore not considered in controldocumentation or testing. Lack of understanding regardingwho owns the controls over thedata and reports used in the MRCs,resulting in those controls notbeing considered in testing. Resource limitations due to the timespent to extract, aggregate, andmanipulate data for analysis, resulting inless time being spent on confirming thecompleteness and accuracy of that data. EUCs are often used for the mostcomplex controls, and the size, scale, andcomplexity of such spreadsheets oftengrow exponentially, becoming monstrousand unmanageable, resulting in ineffectiveor insufficient spreadsheet controls.Leading practice solutions utilizedby world-class organizations includedocumentation, spreadsheet integritychecks (SIC), and robotic processautomation (RPA), as described below.Risk identificationRobust risk assessment procedures arenecessary to identify, analyze, and respondto financial reporting risks. Sufficientanalysis should be performed, especiallyfor areas that include subjective judgmentrelated to estimates, key assumptions,and complex accounting for transactions,accounts, and disclosures to identify therisk of material misstatement (“RoMM”)for the area. Once the RoMM is identified,management can design MRCs to respond.3

Refocus your management review control lens Improve your ICFR program by resolving common challengesCommon root causes that challengethe integrity of the risk identificationpillar include: RoMMs are not identified at the levelof granularity that specifies what thespecific subjective judgments, estimates,key assumptions, or complex accountingareas are and what can go wrong. RoMM is identified, but the right controlisn’t selected to mitigate the RoMM. A lack of revisiting risk assessmentsas changes occur.Leading practice solutions utilized byworld-class organizations include: arobust risk assessment, documentationpolicies and data analytics, andvisualization as described below.DocumentationDocumentation falls into two generalcategories:1) Documentation of the controlactivity details.2) Documentation to support executionof the control activity.Documentation of control activityDocumentation of the control activitydetails is needed to establish a baselineunderstanding for those who perform thecontrol and for control testers. Sufficiencyof documentation is often undervaluedand overlooked with significant upsidebenefits that may result in increasedreliability of financial reporting and ICFRprogram efficiencies that include: Establishing a baseline understandingof the control activity details, whichserves as the single source of truth. Utilizing the baseline understanding to:–– Support succession planning,training, and cross-training ofcontrol performers.4–– Enforce accountability andresponsibility of the control performersfor executing procedures consistentlyand in line with expectations.–– Effectively inform the controlselection process when identifyingcontrols to mitigate RoMMs.–– Evaluate the level of precision of thecontrol, a necessary assessmentin concluding on risk mitigation.Common root causes that challengethe integrity of the documentation of acontrol activity details pillar include: Lack of a documented baseline of theMRC control activity. We often observethe absence of important control activitydetails, such as:–– Inputs used in the control(e.g., data, reports, externalbenchmark information).–– Identification of the key assumptionsor judgments that are subjectto review.–– The criteria requiring furtherinvestigation (e.g., dollars andpercentages).