Academic journal article Journal of Accountancy

Assessing Company-Level Controls: Another Hurdle on the Road to Compliance

Academic journal article Journal of Accountancy

Assessing Company-Level Controls: Another Hurdle on the Road to Compliance

Article excerpt

EXECUTIVE SUMMARY

* THE ASSESSMENT OF COMPANY-LEVEL CONTROLS is a critical part of complying with section 404 of Sarbanes-Oxley. The PCAOB says public companies must assess the design and operating effectiveness of these controls in addition to examining detailed process- and transactional-level control activities.

* COMPANY-LEVEL CONTROLS ARE THOSE THAT PERMEATE an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. These controls are exemplified by the control environment itself including the tone at the top, corporate codes of conduct and policies and procedures.

* CPAs CAN FOLLOW SIX STEPS TO HELP ENTITIES comply with company-level control requirements. These steps are defining the project plan and key milestones, building a structure to assess the controls, obtaining input on the design of company-level controls, documenting and assessing the controls, testing their effectiveness, and engaging in gap remediation and continuous improvement.

* THESE STEPS ARE REQUIRED OF PUBLIC COMPANIES, but private companies and not-for-profit organizations also can benefit by looking at the process as a best practice that leads to stronger governance and better financial results.

**********

What are company-level controls? How do CPAs go about evaluating their effectiveness? As the compliance deadline for section 404 of the Sarbanes-Oxley Act approaches for some companies, many have yet to face a critical hurdle: the assessment of their company-level controls. The Public Company Accounting Oversight Board says public companies must assess the design and operating effectiveness of company-level controls in addition to examining detailed control activities at the process and transactional levels.

This article provides a six-step process CPAs can use to meet this critical aspect of section 404 compliance. The steps are based in part on the author's experiences as director of finance for Campbell Soup Co. Although only public companies subject to section 404 are required to formally assess company-level controls, nonpublic companies and other types of organizations may wish to do similar evaluations as a best practice.

CONTROLS ARE EVERYWHERE

Company-level controls permeate an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. One example is the control environment itself, which includes the tone at the top, the corporate code of conduct, policies and procedures, the assignment of authority and responsibility, management's risk assessment processes, fraud-prevention efforts and other company-wide programs that apply to all locations and business units. Company-level controls also monitor the results of operations and the functionality of other controls, including self-assessment programs and internal audit reviews. Oversight activities by senior management, the audit committee and the board also demonstrate these controls.

Section 404 says senior management at public companies must

* State its responsibility for establishing and maintaining adequate internal control over financial reporting and disclosure.

* Assess the effectiveness of the company's internal controls for the current fiscal year.

* Identify the framework used to make this evaluation. To comply, many companies have adapted the COSO internal control framework and its five components-control environment, risk assessment, control activities, information and communication, and monitoring.

The PCAOB says public companies must give adequate consideration to all five components, including detailed control activities at the process and transactional level as well as the other COSO components known collectively as company-level controls. In Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, the PCAOB says the external auditor should evaluate whether management's documentation includes all five components of internal control over financial reporting when determining whether it provides reasonable support for management's overall assessment. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.