Entity-level controls

Abstract: Research documents significant management bias and opportunism around the discretionary inputs of audited complex estimates, including fair value measurements (FVMs), which raises questio...

Abstract: Congress responded in similar ways to 2001's major national crises: bolstering internal controls in corporate America under the Sarbanes-Oxley Act in response to Enron's debacle and imposing internal controls on its financial services industry under the USA PATRIOT Act in response to 9/11's terrorism. These reflexive legislative responses to national crisis fit a pattern of proliferating controls as a first-order policy option dating to the mid-1970s. Documenting this proliferation and untangling the definition of internal controls, this Article attributes the appeal of internal controls as a policy option to systemic forces including the movements for deregulation and cooperative compliance, resistance to overt federal preemption of state corporate law, the monitoring model of the board of directors in corporate governance and audit committee ascendance, the social responsibility movement and the diversification of auditing services. Manifest appeals include the limited substantive content control directives carry and the increasing harmonization of control types around audit committees, compliance officers, employee training manuals and external audits of controls fitting neatly into the team production theory of corporate practice and law and making even mandatory controls appealing to corporations being implicitly regulated. Illuminating the limits of this policy option is an examination of comparative attitudes towards control risk shown by the auditing and legal professions. Audit approaches control risk with a formal context, definition and measurement apparatus consciously aware of risk's inevitability and that controls may increase or decrease risk. Yet auditors advertise their product as capable of doing more. Legal culture takes the advertisements seriously. The resulting expectations gap can be reinforced when audit's emphasis on systems and controls creates false impressions that these reflect likely achievement of underlying objectives. Proliferation of internal controls in the face of crisis shows social anxieties. Assuaging social anxieties with these tools can create illusions of control and denial of risk. Legal culture is telling managers to take steps to buy absolute control; audit culture is happy to sell it; the truth is, there is no absolute control. No system provides absolute assurance. The gap is significant between (1) what systems can deliver versus (2) what legal culture expects and what auditors advertise they can deliver. When internal controls fail, the policy response is to require audits of controls. This is the story of Sarbanes-Oxley. In the 1970s, the SEC persuaded Congress in response to crisis to pass the Foreign Corrupt Practices Act requiring companies to have internal financial controls. In the early 2000s, in response to crisis perceived to originate in internal control failure, the SEC persuaded Congress to pass Sarbanes-Oxley requiring auditors to audit those internal controls. In this cycle of control mandates followed by audit mandates, pressure builds on audit to create controls that can be audited. But since controls do not automatically reduce audit risk and may increase it, audits of them cannot speak to the effectiveness of underlying substance over which controls offer no reliable assurance. Legislative enthusiasm for controls as crisis-response mechanisms pretends controls can do more than they can and when controls consequently proliferate they can do even less - it becomes hard to assess which controls are effective. Control proliferation and generality complicate foreseeability analysis in tort. If controls applied only in particular settings with defined functions, they could indicate that related risk realization was foreseeable. They might be useful in assessing difficult pragmatic questions of causation when losses arise after controls fail. But when every aspect of corporate affairs is layered with elaborate controls there is no credible basis for drawing such inferences. Control signifies nothing special, so offers no insight concerning foreseeability or causation. This has not, however, prevented using control failures in exactly this mistaken way. When controls fail, the existence of control norms, directives, or practices are relevant to evaluating the standard of care exercised and matters of causation and foreseeability with little or no regard to the particular control at issue or its underlying substantive purpose. But Sarbanes-Oxley and PATRIOT show two polar extremes of control types: internal controls over financial reporting and controls dedicated to fighting terrorism. Two competing models of regulatory theory map onto this range. The deterrence model hypothesizes that target decision-making is conducted by comparing the cost of compliance with the product of enforcement threats and penalty levels. The cooperation model enlarges the framework by recognizing norms of compliance that may be skewed by the simple adjustment of threat and penalty levels. For internal controls the relative purchase of these models varies with the tenor of the control: financial controls link to the deterrence model where penalties for failure should be high and liability likely; externally-oriented controls are congruent with the cooperation model: penalties and liability risk should be zero. This theoretical account of the distinction between control types is consistent with the longer history of corporate law but the current legal environment's ambitions for internal controls threatens to upset this traditional stance. This appears most acute in the case of terrorism and provides an internal-controls-based defense of general compensation schemes such as the 9/11 Victims' Compensation Fund.

Abstract: Recently, the auditor’s role in contributing to the reliability of critical accounting estimates reported by their clients, including fair value measurements (FVMs) has received significant attention because key management inputs to these estimates are subjective and susceptible to bias. Client management frequently use 3rd party specialists to assist in preparing the FVMs reported in financial statements. As a result auditors routinely evaluate client specialist reports, which contain both quantified and non-quantified data. We use this fair value setting to examine how the level of quantification in client evidence and client control environment risk influence auditors’ planned substantive testing. While auditing standards and risk-based auditing do not support choosing an audit approach based on the level of quantification in the client evidence, we find that in high client risk conditions, the level of quantification in the client evidence influences auditors’ proportionate effort allocation of planned testing of management’s estimate. Specifically, auditors allocated less proportionate effort to testing the subjective inputs of management’s estimate when the level of quantification in the client evidence and client risk were high. In a follow-up experiment, we provide evidence that a regulatory practice alert reminding auditors to focus more audit effort on FV inputs that are susceptible to management bias does not lead to a change in the proportion of auditors’ effort allocation observed in the first study. The alert also does not change auditors’ tendency to be influenced by the level of quantification in the client’s evidence. However, the practice alert motivates an increase in overall audit effort. Prior studies were aimed at documenting how attention to client risk can improve audit judgment. We provide new evidence, however, that auditor attention to client risk can exacerbate the influence of the quantification of client evidence on audit judgment, and that this effect is not remedied by a simple intervention.

Abstract: Preface. Chapter 1: Introduction: Sarbanes-Oxley and Establishing Effective Internal Controls. Changes Since SOx Was First Introduced. Converging Trends: ITIL, CobiT, and Others. Chapter 2: Sarbanes-Oxley Act Today: Changing Perspectives. Sarbanes-Oxley Act: Key Elements. Impact of the Sarbanes-Oxley Act. Chapter 3: AS5 Standards for Auditing Internal Controls. AS5 Objectives. Reviewing Section 404 Internal Controls Under AS5: Introduction Planning the SOx AS5 Audit. AS5's Top-Down Approach. Testing Internal Controls. Evaluating Identified Audit Deficiencies. Wrapping Up the AS5 Audit. Reporting on AS5 Audit Internal Controls. Improving Internal Controls Using AS5 Guidance. Going Forward: Potential Risks and Rewards. Chapter 4: Establishing Internal Controls Through COSO. Importance of Effective Internal Controls. Internal Control Standards: Background. Events Leading to the Treadway Commission. COSO Internal Control Framework. Other Dimensions of the COSO Internal Control Framework. Chapter 5: Using CobiT Framework to Improve SOx Controls and Governance. CobiT Framework. Using CobiT to Assess Internal Controls. CobiT and Sarbanes-Oxley. Chapter 6: Performing Section 404 Reviews Under AS5: An Ongoing Process. SOx Section 404 Assessments of Internal Controls Today. SOx Section 404 Requirements. Section 404 Filing Rules: Changing Deadlines for Eligibility. Gaps and Compliance Committees Under Today's SOx Rules. Documenting Internal Controls Going Forward. Control Objectives and Risks Under Section 404. Chapter 7: Other SOx Requirements: Sections 302, 409, and Others. Other Important SOx Compliance Rules. Section 302: Management's Financial Report Responsibilities. Section 401: Off-Balance Sheet Disclosures. Section 409: Disclosures on Financial Conditions and Operations. Section 802: Penalties for Altering Documents. Section 806: Whistleblower Provisions. Keeping SOx Rules in Focus. Chapter 8: Using ITIL to Align IT with Business Processes. Importance of the Information Technology Infrastructure. ITIL Framework. ITIL Service Delivery Best Practices. ITIL Service Support Best Practices. Security Management. Linking ITIL with CobiT and SOx Internal Controls. Chapter 9: Importance of Enterprise Risk Management. Importance of Risk Management. COSO ERM Framework. Other Dimensions of the COSO ERM Framework. Putting It All Together. Auditing COSO ERM Processes. COSO ERM in Perspective. Chapter 10: International Standards: ISO, Quality Auditing, and SOx. Importance of ISO Standards in Today's Global World. ISO Standards Overview. Quality Audit Process. IFAC International Accounting Standards. Chapter 11: Internal Audit in a Sarbanes-Oxley Environment. Profession of Internal Auditing. Internal Audit Professional Standards. CBOK: Internal Audit's Common Body of Knowledge. Chapter 12: Importance of Effective Corporate Governance. Reporting Whistleblower Incidents: Establishing a Hotline Facility. Building an Enterprise-Wide Ethical Culture. Chief Compliance Officer Roles and Responsibilities. Board of Directors and the Audit Committee. Assessing SOx Internal Controls. Index.