Timely, relevant, and accurate information – it is what every company desires. Without quality information, management cannot make sound or timely decisions, investors cannot rely on a company’s financial reporting, and customers, regulators and other key stakeholders cannot fulfill their objectives, whether those objectives are guided by laws, regulations or commercial incentives.
Within this CFGInsight, we will provide (1) a rundown of information quality issues we see at many clients, (2) a checklist to assess your company’s state of control over information and (3) some practical tips companies can employ to ensure that they obtain, generate and use relevant, quality information.
INTERNAL CONTROLS FRAMEWORK
Over the last couple of decades, companies have expanded their footprint overseas, updated their Information Technology (IT) infrastructures, and outsourced many of their critical processes to third-party service providers. These changes, amongst a handful of others, precipitated the need for an updated internal control framework – and so emerged the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s 2013 Internal Control- Integrated Framework (the “2013 COSO Framework”).
The 2013 COSO Framework consists of 17 Principles representing the fundamental components of an effective system of internal control. All 17 Principles must be “present and functioning” for a company to conclude that its system of internal control is effective. Principle 13 (the organization obtains or generates and uses relevant, quality information to support the functioning of internal control) is the main focus of this CFGInsights. Although Principle 13 (and all the Principles, for that matter) extend beyond financial reporting, we will be limiting our discussion to internal controls over financial reporting (i.e., those controls which fall under the realm of Sarbanes-Oxley, or “SOX”).
WHAT’S ALL THE BUZZ ABOUT?
Key spreadsheets. Electronic Audit Evidence (EAE). Information Produced by Entity (IPE). If you work in a public company, you have likely heard these buzz words thrown around once or twice before. They all describe information (reports, spreadsheets, files, etc.) that is generated by a company (or in some cases, the company’s third-party service provider) and is used to support an organization’s system of internal control.
With companies relying more heavily on third parties for key processes and investing in new, up-and-coming technologies, it is critical for management to take a fresh look at their controls to ensure that any information used in the execution of the controls is useful, relevant, complete and accurate.
Picture this common scenario: It is time to start planning for SOX compliance for the upcoming year. You thumb through the company’s existing control documentation and, right off the bat, you identify an issue: the controls do not reflect reality. Controls that were once manual are now automated. Controls that were historically performed in-house are now outsourced to a third-party service provider. The list goes on and on.
When the source, quality and reliability of the information used in the execution of controls are not sufficiently assessed, the company exposes itself to a variety of risks, including financial reporting misstatement risk, reputational risk, and compliance risk.
Below are some common information quality pitfalls we see in practice:
THE PATH AHEAD
So how does your company stack up? Download and complete the information quality diagnostic to see.
A significant amount of “no” responses may indicate that your company has deficiencies in the quality, relevance, accuracy, completeness and integrity of critical information used to support its system of internal control.
Management should periodically re-evaluate its information needs and should ensure that sufficient controls are in place to support information quality objectives. A review should be performed periodically (e.g., annually) to ensure that information needs are identified. Further, as part of this review, management should reassess whether there are sufficient controls over information systems/applications.
Although this sounds like a daunting task, we recommend the following steps to get started:
Identify information needs and deficiencies:
Obtain feedback from key stakeholders (e.g., management, control owners, internal audit, external audit, etc.) on information needs and deficiencies. In many cases, the best time to solicit this feedback is after year-end as information needs and deficiencies usually surface during a company’s external audit.
Educate key stakeholders:
When information quality and reliability are contingent upon human intervention, it is imperative that control owners are educated on the procedures required to be performed in order to meet information quality and reliability objectives.
Update control documentation:
Review existing control documentation (e.g., control matrices) to ensure that all key spreadsheets, reports, etc. used in the execution of the control are identified and that the source of that key spreadsheet or report is indicated. We encourage companies to establish formalized controls over all key spreadsheets and reports used in the execution of a control. Therefore, control descriptions may need to be expanded and enhanced to detail the procedures performed by the control owner to assess the completeness and accuracy of this underlying support.
Complete, accurate and reliable information is the cornerstone to any well-functioning internal control environment. Without it, companies cannot possibly make wise decisions, report accurate results, or gain strategic advantages. Management must stay in tune with changing information needs and requirements and should ensure well-controlled systems are in place to generate quality information in a timely fashion. Identifying information requirements should be a fluid, on-going process, and should take into consideration the needs of all key stakeholders across different lines of service and business units.
CFGI has extensive experience helping companies implement controls, processes and procedures aimed at improving the quality and reliability of information, as well as ensuring compliance with all of the 2013 COSO Framework Principles.