Both Board of Directors’ independence and Compliance Committee (or other applicable committees) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable that this requirement is met. Finally, there must be evidence that the company has appropriate disclosure controls because that is central to the objective. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor. Under Principle 3, structures in reporting lines, authority, and responsibility are essential to recognizing revenue. There are processes in an entity’s internal controls or financial reporting details. There are policies, and there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.
Under Principle 4, a business must attract, develop, and retain competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing; one of the reasons that companies have said they do not have money to reinvest in the deep dive study and process improvement necessary to implement it [the 2013 Framework] is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company’s disclosures. You must ensure the team can access the right level of technical accounting talent and business process and controls talent to make the judgments.” All these leads, of course, tie into Principle 5, which mandates that individuals be held responsible. This requires someone to document that they have made a judgment based upon the evidence they have accumulated, that the company has analyzed that evidence, and has gone through the process of comparing this to the COSO 2013 Framework and the spirit of the standard. Howell said, “those individuals are being held responsible for doing that properly. When you tie all that back together, when you get to the control environment, the COSO principle number one is that it can be completely tied back to what is required.”
Three Key Takeaways:
- What controls do you have in place to measure conduct at the top?
- Reporting lines must be clear and functioning.
- You must provide the right personnel with the right resources.
For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.