Many people say life speeds up as you get older. Maybe that’s why the year-end crunch seems to keep getting tighter. The end of Q3 is upon us and year end is right around the corner. While the company’s SOX testing may be under control, we have some recommendations for your 2015 internal control checklist that expand beyond SOX, and should help set you up for a year end process that runs as smoothly as possible (yes, it is time to be thinking about these issues):
1. Check in on COSO
By now, most companies have transitioned to the 2013 version of the Committee of Sponsoring Organizations (COSO) internal-controls framework, although there are some holdouts. Before you go any further in this checklist, if your company has not yet made the transition, we recommend that you familiarize yourself with the new framework, map your existing controls and identify any gaps.
The Securities and Exchange Commission has not confirmed a timeline for going after companies that have not migrated to COSO 2013, but lack of COSO compliance can still lead to problems. From an internal control over financial reporting (ICFR) perspective, if one or more of the new framework’s 17 principles are not present and functioning, a major deficiency may exist. This would equate to a material weakness under Section 404 of the Sarbanes-Oxley Act. Not something that management, the board or investors are likely to want.
2. See if you need to expand enterprise risk reviews
The latest COSO framework calls on companies to have an operational risk assessment program, and to identify risks that may derail their ability to reach corporate objectives. Most companies record their significant risks in their 10-Qs and the 10-K, of course, but they may need to rethink or expand the information sources.
The assessment should include input from business units and appropriate levels of management. Has the company also created an upward/downward communication route for identifying, documenting and addressing lower level risks that impact smaller entities and regional operations? If not, now would be a good time to make a change.
3. Put out some fraud feelers
Another COSO requirement is consideration of fraud risk. A proven way to address the issue is to conduct fraud brainstorming sessions with various employee groups. It could provide a whole new perspective. When employees are asked to “think like a fraudster” and brainstorm “how a fraud could perpetrate itself at the company,” they may reveal gaps or risks that had never been contemplated on a companywide scale.
4. Evaluate how management reviews controls
For controls that require management review, particularly for complex processes, it’s important to document the steps taken as part of the review process. Supporting documentation will make any auditor questions that pop up easier to handle and could also make the process easier when next year rolls around, or in the event of a personnel change.
5. Touch base with your auditors
Management must evaluate the adequacy and completeness of the key reports used for preparing financial statements. By now, the company should have the list of key reports handy. If you have not already done so, we recommend meeting immediately with your external auditor to confirm that the list is appropriate, while there is still an opportunity to address gaps prior to fiscal year end.
6. Take a fresh look at related-party and significant or unusual transactions
A new auditing standard could bring this issue to the forefront, even for companies that may think they do not have such transactions. To head off extra questions by auditors, companies should consider: Is the board or audit committee aware of all related-party transactions, including suppliers, vendors and customers? What if employees haven’t disclosed them? Does the company have a documented process to assess related-party transactions and determine when disclosure is required?
Here’s a quick trick that could be revealing: Compare employee addresses to vendor addresses to see if there are any matches. While it may not turn out to be a problem, a match could be a flag that requires further investigation.
Be aware that external auditors need to conduct new procedures to comply with Auditing Standard 18—Related Parties (which became effective for audits occurring on or after December 15, 2014), and they will report their results to the audit committee. The report will include transactions they found that the company had not told them about, as well as deals that were not authorized or approved in accordance with company policies, or that appear to lack a business purpose.
Also make a point to review significant or unusual transactions. Is the company preparing memos or documenting the approval and controls process for significant or unusual transactions? Your external auditor needs to report on this as well.
Ideally, these internal control and compliance areas are already a part of your toward-the-end-of-the-year checklist. If they’re not, you may want to start right now. That clock keeps ticking!
Alisanne Gilmore-Allen is a member of the RoseRyan dream team. She is a Certified Internal Auditor, Certified Fraud Examiner, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.