COMPANY LEVEL CONTROLS A PRACTICAL FRAMEWORK

(1)

COMPANY LEVEL CONTROLS – A PRACTICAL FRAMEWORK

During the past two years a group of internal control specialists of large Dutch companies listed

in the USA have held regular meetings to share experiences and to think of best practices for

compliance with the Sarbanes Oxley regulations. In this article, a task force of that group

presents a practical framework for “Company Level Controls” which the group considers to be

best practice.

IIA SOX platform

In 2003 most large Dutch USA listed firms have started a program or project to get their internal

processes compliant with the new Sarbanes Oxley (“SOx”) legislation. SOx section 404 requires

management to make an assessment of a company’s internal control over financial reporting.

The need was felt to have some kind of a platform, which offers the opportunity to meet with

colleagues of other companies to discuss the SOx related issues. As a consequence, the Dutch Institute

of Internal Auditors (IIA) took the initiative to organise a discussion platform. The main objectives of

this group are to share knowledge and experience in implementing SOx in order to develop best

practices and to support discussions with external auditors.

The following companies have regularly sent a representative to the meetings: ABN AMRO, Ahold,

AKZO Nobel, Arcadis, ASMI, ASML, Buhrman, KLM, KPN, Reed Elsevier, Shell, TNT, Van der

Moolen and VNU.

Company Level Controls

One of the topics that has lead to discussions and differences of opinion is related to Company Level

Controls. Relevant rulemaking bodies have not issued detailed guidance, other than stressing the

importance of Company Level Controls. External auditors also have only published limited guidance.

As a consequence, the IIA SOx platform formed a task force, composed of representatives of four

companies, with the objective to develop a common standard for Company Level Controls. This

standard should comprise a practical framework and a list of controls which can easily be used to

assess Company Level Controls in the various companies.

Participants of the platform were willing to share their documentation, and the task force was able to

use this as a basis to develop a framework. The results were presented regularly during platform

meetings and lead to ample discussions and exchange of opinions. This resulted in the set-up of a

framework of twenty nine key controls in the area of Company Level Controls. In the following

paragraphs we will present this practical framework.

What are Company Level Controls?

After the May 2005 roundtable with key SOx stakeholders, both the SEC and the PCAOB commented

on the strong criticism resulting from the experiences with “year one” SOx compliance. The

comments directed focus of SOx compliance to a top down risk based approach, with a strong

emphasis on Company Level Controls instead of a focus on transactional controls.

What are Company Level Controls? The PCAOB gives some examples, although it did not come up

with a definition. We regard Company Level Controls as controls that have the following

characteristics:

• they exist on a higher level than transactional controls; and,

• set positive conditions and boundaries for the transactional controls; and,

• are the internal control infrastructure.

(2)

PCAOB section 53

Audit standard 2 of the PCAOB gives guidance to auditors on how to assess controls as part of an

audit of internal control over financial reporting. Section 53 (see frame) gives examples of Company

Level Controls. These examples cover all five components of the COSO framework. Therefore, we

based our framework on COSO, taking into account the guidance from Section 53.

PCAOB AS2, section 53

Company-level controls are controls such as the following:

-

Controls within the control environment, including tone at the top, the assignment of authority and

responsibility, consistent policies and procedures, and company-wide programs, such as codes of

conduct and fraud prevention, that apply to all locations and business units (See paragraphs 113

through 115 for further discussion);

-

Management's risk assessment process;

-

Centralized processing and controls, including shared service environments;

-

Controls to monitor results of operations;

-

Controls to monitor other controls, including activities of the internal audit function, the audit

committee, and self-assessment programs;

-

The period-end financial reporting process; and

-

Board-approved policies that address significant business control and risk management practices.

Company level control framework

The framework (fig. 1) visualizes the posistion of Company Level Controls and the nature and focus of

Company Level Controls within the COSO framework. It shows that the basis for Company Level

Controls are in the Control Environment, the tone set by the top of the organization which has a

pervasive effect on the control consciousness and effectiveness of controls in an organization. Another

important aspect of Company Level Controls is Monitoring; i.e. the procedures a company uses to

ensure that controls throughout the organization work according to plan. Information and

Communication is crucial in implementing Company Level Controls; top-down information streams

help company management to ensure that their (strategic) management decisions lead to appropriate

action on the operating level. Bottom up information provides management with insight on how their

strategies are being dealt with on operating level and provides information top management uses for

their Risk Assessments. Based on the assessment of risks, Control Activities are implemented to

ensure that management’s objectives are met.

(3)

External factors Business: Market demands performance Compliance: Sox / Tabaksblat Regulators External demands Internal response Control environment Monitoring: Info rmat ion & com mu nic atio n In_fo rm ati on_& co_m m un_ic ati_on Risk assess-ment Control activities Company hierarchy Supervisory board Audit committee Executive board Group mgt Opco mgt Process owners Company Level Controls

Fig. 1

The standard set of Company Level Controls

We have identified a set of 29 controls which fits in this framework and which forms in our view, the

best practise set of Company Level Controls. In some instances individual companies may identify

companies have less

1

.

The best practise Company Level Controls are listed below:

# Relevant Control item Category Most appl.

COSO element 1 Accounting and Control Manual

(existence, availability, authorization, changes discussed and approved)

Accounting and Reporting

Information & Communication 2 Mandatory training plan for accounting personnel

(monitoring of progress)

Accounting and

Reporting Monitoring

3

Senior management periodically reviews an overview of accounting, reporting and internal control issues.

(progress is monitored and reported in management meetings)

Accounting and

4

Senior Management ensures that certain high risk processes and related significant accounts are only processed and recorded at or via the corporate level. (e.g. (deferred) tax, goodwill and other intangibles, investments in subsidiaries). Accounting and Reporting Control Activities

1

(4)

5

Bill of Authority/ Authorization table - procuration at the top / senior level (delegation of authorization)

(availability, periodic update and authorization)

Assignment of Authority

Control Environment

6

Senior Management consciously and willingly sets and maintains an appropriate Tone at the Top.

(e.g. communication throughout the year and behavior examples set by senior management).

Business Ethics Control Environment

7 Code of Conduct and disciplinary actions in case of violations.

(availability, confirmation of compliance, follow up of deviations) Business Ethics

Control Environment

8

Fraud Risk assessment, appropriate anti fraud programs and reporting on fraud instances.

(availability, authorized and monitored)

Business Ethics Control Environment

9 Corporate management exercises oversight on litigation and

communication with (financial) regulators. Business Ethics Monitoring

10

Periodically divisional/ operating company review meetings by the Corporate Management Team are held.

(consistency of Corporate and Division objectives, Actual divisional/business unit/operating company results are compared to budget) Business Planning and Performance Monitoring 11

Self assessment of Audit Committee on its own performance.

(assessment performance against charter, relationship / performance of in- en external auditor, activities and competencies of Audit Committee members)

Corporate

Governance Monitoring

12

The Audit Committee exercises appropriate oversight on internal control matters by the Audit Committee.

(open communication with senior financial management, in- and external audit)

Corporate

13

Audit Committee ensures that open communication with in- and external auditors is established and maintained

(approval audit plan, active participation in meetings, private meetings)

Corporate

14

The Human Resource department reviews the organisational design and the availability of job descriptions.

(key financial positions)

Human Resource Policies and Practices Control Environment 15

A pre-employment screening procedure is in place.

(implementation instructions, define for which functions screening is required) Human Resource Policies and Practices Monitoring

16 Realistic targets are set and used in performance measurement (undue pressure, mixed (finance, compliance))

Human Resource Policies and Practices Control Activities

17 Human resource policies available

(adequacy of hiring, retention and promotion process)

(5)

18

Agreement on future system development and ongoing IT projects. (IT strategic plan aligned to the business plan for development of information systems)

Information

Management Monitoring

19 Independent reporting line from Internal Audit to Audit Committee Internal Audit Monitoring

20

Periodic report from Internal Audit to the Audit Committee on performance.

(staffing, progress of the audit plan, the effectiveness of Internal Audit, approval of Internal Audit charter)

Internal Audit Monitoring

21

Senior Management monitors the outcome of the periodic process regarding Letters of Representation (or in-control statements) issued by divisions / business units / operating companies.

(accounting standards, code of conduct, control standards, signoff structure) Compliance / Internal Control Function Information & Communication 22

Monitoring of the status of identified control issues via a control remediation progress reporting.

(among others: number, nature, remediation, progress)

Compliance / Internal Control Function

Monitoring

23

Management performs risk assessment and assesses likelihood and impact.

(analyze, plan, do, check, act)

Risk

Management Risk Assessment

24

The Supervisory Board reviews corporate strategy and approves the annual budget. (non-executive board) Strategic planning Control Environment 25

The audit committee ensures existence, availability, appropriateness and communication of the Whistle-blower procedure.

(independent reporting, anonymity, performance reporting to Audit Committee on reported instances and resolution)

Whistle-blower Control Environment

26 Budget process in place

(related to strategy, quantifies goals, regular reporting reviews)

Business Planning and Performance Control Activities 27

Design of bonus plans ensure no incentive exists that could lead to improper financial reporting.

(incentives are based both on financial and non-financial goals, long term development of the company, senior/executive personnel)

28 Ensure disclosure meeting is held quarterly to discuss details of PL/BS with Finance, Legal and Management

Accounting and

29

New business meetings with board, group control, legal and IT to discuss the impact on financial reporting, legal implication and IT when the new business is implemented.

Risk

Management Risk Assessment

To elaborate on the relevant control items stated above, the following three examples are given. These

examples provide more insight in the required documentation and evidence.

The examples also give detailed information on what testing should include. Testing of Company

Level Controls is characterized by the fact that the control description is in many cases focused on the

(6)

meetings, reports on performance. The test work programs will therefore to a large extent focus on the

documentation identified already in the control descriptions, the implementation of relevant policies

and the actual operation of the policies and procedures.

Evidence and documentation

Testing considerations

CLC nr 1: Accounting and Control Manual

Ensure existence of:

• Availability of the Accounting & Control

manual, including communication plan;

• Documented comments of internal / external

auditors, including follow up;

• Approval by senior management;

• Change procedures for Accounting & Control

manual.

Verify whether:

• Reviews of the Accounting & Control Manual

are done regularly to ensure timely updates to

changes in applicable GAAP; documentation of

these reviews exist;

• Changes to the Accounting & Control Manual

are formally approved by senior management

prior to release and distribution;

• Applicable finance staff has access to most

recent Accounting & Control Manual

(effectiveness of communication).

CLC nr 7: Code of Conduct

Ensure existence of:

• Authorized Code of Conduct is made publicly

available (e.g. on company website);

• Annual confirmation on compliance with Code

of Conduct is being organized;

• Annual evaluation of deviations from the Code

of Conduct (e.g. Letter of Representation, ethics

committee) by appropriate management;

• Periodic reporting on instances, remediation and

action plan of deviations for the Code of

Conduct.

• Verify, based on interviews with a number of

employees at various levels in the company,

whether they are aware of the Code of Conduct

and that the code is frequently addressed by

Senior Management in communications,

e-mails, etc.;

• Verify annual confirmation for a sample of

employees;

• Check whether the current version of the Code

of Conduct is published on the intranet;

• Verify the existence of formal reporting

procedures regarding violations of the Code of

Conduct;

• Verify, based on the minutes of meetings, that

deal with the violations, whether all violations

reported are discussed, disciplinary actions

defined and follow-up actions are initiated.

CLC nr 12: Self assessment of Supervisory Board on its own performance

Ensure existence of:

• Supervisory Board Charter, including a

description of profiles and competencies of

Supervisory Board members;

• Self assessment scheduled (agenda) by

Supervisory Board;

• A questionnaire or other tool that ensures that

the self assessment is done in a structured way

and that all relevant matters are addressed;

• Result of self-assessment is formally

documented and is agreed by Supervisory

Board.

Verify whether:

• Written evidence of these self-assessments

exists (agenda, minutes and summarized

questionnaire);

• The self-assessment is guided by the

questionnaire and conclusions are established;

• All members of the Supervisory Board

participate;

• Agendas and minutes of the meetings and, if

applicable, follow-up actions are formally

identified and results of previous actions are

evaluated.

(7)