Reliable Control
Self-Assessment
James Brady Vorhies (“Brad”)
Dallas CPA Society’s
Continuing Education Day
Hilton Anatole
May 26, 2011
Course Objective

To convince attendees of the
advantages of:
– Adopting “reliable” control selfassessments versus attribute testing.
– Obtaining “ongoing” assurance versus
one-time assurance from existing internal
audit investment.
Biggest Payback

Is going to be for SOX 404 compliant
companies
– Because they will be able to replace
management’s attribute testing of each
key control:
1.
2.
With ongoing key control monitoring, and
With management testing of the key control
process
Next Biggest Payback

If you develop the infrastructure then
you can monitor all of the company’s
key controls
– Examples:
Business Continuity key controls
 Debt covenant compliance certifications
 Any area’s key controls

– GRC Application?
SOX Testing Current State

Key financial controls are generally
attribute tested requiring
–
–
–
–
–
Annual scoping
Flowcharts and/or narratives
Test case per key control
Sample selection per key control
Attribute test per key control
Attribute Testing
Approach Challenges




Key control attribute testing requires
audit skills to perform
Difficult to embed testing in
management’s process
No ongoing assurance
Attribute testing is seen as a non value
add duplicative cost
Current SOX Cost Saving
Strategic Initiatives



Scoping to decrease controls tested
Automation of key control reviews
Increase reliance upon management’s
internal testing
New SOX Compliance
Strategy

To both decrease cost and improve
management’s controls monitoring
– Develop reliable key control selfassessments
– Create an ongoing management
monitoring process
– Embed responsibility with control owners
and responsible management
Transformation: SOX Testing
to Controls Monitoring

Transformation is accomplished by
creating “reliable” self-assessments
that replace control attribute testing
– AS 5 allows management to implement their
own process – only requirement is that it is
“effective”
– SEC guidance addresses self-assessments and
requires they be “reliable”
– COSO’s vision is controls monitoring
Transformation
Advantages












Ongoing assurance – right things get done right
Self-documenting
Embedded process owned by management
Better employee understanding & acceptance of controls
Self-assessments are great training aids
Better visibility – all key controls on an automated timeline
Ensures tasks get completed – regardless of employee status
Leverages off of current investment – start with key controls
Reduced compliance cost
Minimal attribute testing
Frees audit resources
Greater coverage - GRC framework for control assurance?
Evolution: Testing to
Monitoring – EFH’s Story


2001 - Ongoing manual KAC self-assessments program
(implemented - December 2001)
2004 - First SOX 404 Opinion:
– Deloitte RCTS application

Control owner - VP/manager who had key controls tested
– Annual scoping and testing effort


For each key control an individual test plan, sample and attribute test
Maintained narratives, flowcharts and other process documentation
– Sample size ~40/roll forward all high risk ~10

2006 - SOX 404 Opinion - Combined
– Automated key controls self-assessments

Control owner – owns, executes and self-assesses the key control
– Abandoned test plans – key controls documented in CMT

Key controls mapped to significant accounts & relevent assertions
– Limited sampling and attribute testing


Test the key controls process (key control owners)
Attribute test high volume transactions (easier)
–
–

Journal entries
Account Reconciliations
Key Control sample size ~40/roll forward ~None
Reliable Self-Assessments
3 Step process



Must construct reliable selfassessment process
Must monitor self-assessment process
Must test self-assessment process
Reliable Self-Assessments
Step 1

Must construct reliable self-assessment
process
– Required components
– Required Training
– Required Company cultural change

Online real-time self-assessment tool
necessary to improve timeliness of
assurance
– But manual process can be “reliable”
Necessary Components for
Reliable Self-Assessments

Quality standards
– Defines done right
– Derived from management’s control objectives

Evidence standards
– Sufficient competent – reliable evidence

Insufficient evidence, it didn’t happen
– Very similar to what you are currently using

Frequency of review
– Workday due – same for all periods (i.e. WD 3)

Calendar due date - for specific period
– Based upon how often management wants assurance

Intelligent review and approval
Intelligent Review and
Approval



High risk - must be reviewed and approved
Low/Medium risk - answer “Yes” & self
approve
Anytime answer “No”, must:
–
–
–
–
Document exception explanation
Document action plan
Forward for review and approval
Evaluate as a deficiency (financial controls)
Intelligent Review and
Approval - continued

Required review and approval if – High
Risk:
– New key controls
– Significant changes in key control(s)
– New control owner
– Issues with key control completion
Key Control Exception
= Failure to meet a:
– Quality standard,
– Evidence standard,
– Or, due date established in the standard
< May not be a deficiency
– May not create a potential for misstatement if
failure was only to achieve a quality or evidence
standard

No exceptions is the theoretical
goal
Challenge – No Transactions
During Period


More efficient to say “No Occurrence” than to report
a key control exception
So answers for what the control standard achieved
would be:
– Yes
– No
– No Occurrence



Have to provide an explanation in comment field
(business rule should require comment)
Important for backup personnel who “own” the
same control as the primary control owner
Can apply to almost any control owner’s control
Reliable Self-Assessments
Step 2


Must monitor self-assessment process
Annual review of all key controls
– Discuss with control owner
Ensure understand their key controls
 Control standards written right
 Evidence exists as stated
 Comments appropriate


Process advantage – control owner
understanding of their key controls
Reliable Self-Assessments
Step 3



Must attribute test self-assessment process
Test to determine if control owners
complied with process requirements and
that the process is reliable
Interim testing of about 40 control owners
and all of there key controls
– Also, attribute test high volume areas


Journal entries
Account reconciliations
Self-Assessment Advantages
over Attribute Testing


Ongoing assurance
Cost savings
– Fewer test samples and attribute tests
– No test cases to update (must maintain KCR’s)
– Less need to maintain narratives, flowcharts and control
matrix (matrix maintained in KC’s application)

Insignificant cost to add a new key
control to monitor
– Ops – add a new KCR
Self-Assessment
Challenges

Requires executive management support
– If management isn’t testing now – they may not
want to monitor
– You will have to convince your Auditors

Requires fundamental change in company
culture
– Must become an embedded part of normal job
responsibilities
– Just signing off is falsifying company records

May need to pay for an automated process?
– Difficult to cost justify
Internal Audit – Controls
Monitoring?

EFH’s Internal Audit function primarily
operates on a pre-SOX basis
Review the SOX key controls along with all
other key controls during their ongoing audits
 Audit reviews the financial controls compliance
department’s annual testing


Could Internal Audit determine an
area’s key controls and then monitor
them via control self-assessments?
Internal Audit’s Transformation from
One-time to Ongoing Assurance

Goal - Enable Internal Audit
achievement of ongoing assurance
and risk monitoring
– Enable ongoing monitoring of the company’s key
operational and compliance controls
– Decrease the number and cost of “New” audits
– For essentially the same investment as required
for a one-time internal audit with one-time
assurance.
Internal Audit’s Payback
Challenge “New” Audits
Current State



“New” Audits because of
normal audit cycle and changes
that occur
High “New” audit investment
During each “New” audit
– Spend time and resources
determining controls and
recommendations to
implement missing or to fix
broken controls
– Perform follow-up review
– Only obtain one-time
assurance for investment
Future State

Perform same “New” audit
– Perform same audit and
reporting steps
– THEN - IA helps the area’s
management develop key
control self-assessments for
each of the area’s identified
key controls.
– Obtain ongoing assurance for
essentially the same
investment
– Prevent future “New” audits
and full “New” audit cost
Enable Ongoing IA Client
Engagement & Assurance
Current State

Assurance is only obtained
from a one-time follow-up
review to ensure that internal
audit’s recommendations were
appropriately implemented
Future State




IA stays engaged with the
area’s management on an
ongoing basis.
IA’s existing role as internal
consultants will be greatly
augmented
IA’s independence is not
affected
For essentially the same
investment as for a one-time
audit with one-time assurance
obtain ongoing assurance
Follow-up Reviews
Current State

A future full size and full cost
repeat audit effort is required
when the area hits the audit
cycle again
Future State
•
Follow-up reviews for
“monitored areas” will be used
to:
– Review each area’s key controls
and self-assessment reports.
– Ensure that the right key
controls are
•
•
•
•
Identified
Appropriately monitored
Designed and operating
effectively.
An audit universe risk based
approach can still be used to
define the frequency of followup reviews for monitored areas
Challenges to IA
Monitoring Approach


Value proposition decreases if company
doesn’t have “New” audit syndrome
Must sell value to executive management
– New “cost” (non incremental) to areas being
monitored

Determine if payback is there:
– Mitigate risk by “pilot project”
– Determine success of monitoring approach
– If successful – rollout