Reading summary
AUGUST 2012 / THE CPA JOURNAL20
By Thomas G. Calderon, Li Wang, and Edward J. Conrad
S ection 404(a) of the Sarbanes-Oxley Act of 2002 (SOX) requires the senior management of U.S. public
companies to issue a report assessing the effectiveness of the company’s internal control over financial reporting (ICFR). In addition, SOX section 404(b) requires the independent auditors of U.S. public companies to attest to the effectiveness of ICFR, although smaller public companies have been permanently exempted from this provision. Through these reporting require- ments, regulators have sought to improve the quality of financial reporting and bol- ster investor confidence.
An entity’s ICFR is considered ineffective if a material weakness is identified. The Public Company Accounting Oversight Board (PCAOB) defines a material weakness as “a deficiency, or a combination of defi- ciencies, in internal control over financial reporting, such that there is a reasonable pos- sibility that a material misstatement of the company’s annual or interim financial state- ments will not be prevented or detected on a timely basis” (Auditing Standard [AS] 5, An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements, Appendix A, A7, PCAOB, 2007).
Numerous studies have examined vari- ous issues related to material weakness reporting, such as the following: ■ Characteristics of companies reporting material weaknesses (e.g., Weili Ge and Sarah E. McVay, “The Disclosure of Material Weaknesses in Internal Control After the Sarbanes-Oxley Act,” Accounting Horizons, vol. 19, no. 3, pp. 137–158, 2005; Jeffrey T. Doyle, Weili Ge, and Sarah E. McVay, “Determinants of Weaknesses in Internal Control over Financial Reporting,” Journal of Accounting and Economics, vol. 44, no. 1/2,
pp. 193–223, 2007; Hollis Ashbaugh-Skaife, Daniel W. Collins, William R. Kinney, Jr., and Ryan LaFond, “The Effect of SOX Internal Control Deficiencies on Firm Risk and Cost of Equity,” Journal of Accounting Research, vol. 41, no. 1, pp.1–43, 2009) ■ Changes in corporate governance after reporting material weaknesses (e.g., Karla M. Johnstone, Chan Li, and Kathleen Hertz Rupley, “Changes in Corporate Governance Associated with the Revelation of Internal Control Material Weaknesses and Their Subsequent Remediation,” Contemporary Accounting Research, vol. 28, no. 1, pp. 331–383, 2011) ■ Capital market reactions to material weaknesses (e.g., Ashbaugh-Skaife 2009; Messod D. Beneish, Mary B. Billings, and
Leslie D. Hodder, “Internal Control Weaknesses and Information Uncertainty,” Accounting Review, vol. 83, no. 3, pp. 665–703, 2008; Jacqueline S. Hammersley, Linda A. Myers, and Catherine Shakespeare, “Market Reactions to the Disclosure of Internal Control Weaknesses and to the Characteristics of Those Weaknesses Under Section 302 of the Sarbanes-Oxley Act of 2002,” Review of Accounting Studies, vol. 13, no. 1, pp. 141–165, 2008) ■ The relationship between material weaknesses and earnings quality (e.g., Jeffrey T. Doyle, Weili Ge, and Sarah E. McVay, “Accruals Quality and Internal Control over Financial Reporting,” Accounting Review, vol. 82, no. 5, pp. 1141–1170, 2007; Kam C. Chan, Barbara R. Farrell, and Picheng Lee,
Material Internal Control Weakness Reporting Since the Sarbanes-Oxley Act
A C C O U N T I N G & A U D I T I N G a u d i t i n g
1
“Earnings Management of Firms Reporting Material Internal Control Weaknesses Under Section 404 of the Sarbanes-Oxley Act, Auditing: A Journal of Practice and Theory, vol. 27, no. 2, pp. 161–179, 2009; Ruth W. Epps and Cynthia P. Guthrie, “Sarbanes-Oxley 404 Material Weaknesses and Discretionary Accruals,” Accounting Forum, vol. 34, pp. 67–75, 2010) ■ The effects of material weaknesses on the cost of debt or equity (e.g., Maria Ogneva, Kannan Raghunandan, and K.R.
Subramanyam, “Internal Control Weakness and Cost of Equity: Evidence from SOX 404 Disclosures,” Accounting Review, vol. 82, no. 5, pp. 1255–1297, 2007; Dan S. Dhaliwal, Chris E. Hogan, Robert Trezevant, and Michael S. Wilkins, “Internal Control Disclosures, Monitoring, and the Cost of Debt,” Accounting Review, vol. 84, no. 4, pp. 1131–1156, 2011).
In contrast to prior studies, the analysis below reviews the trend and frequency of reported material weaknesses from 2004 to
2010, examines how company size corre- lates with material weaknesses, discusses how significant regulatory events altered ICFR reporting, describes the specific types of material weaknesses that were most prevalent during the 2004–2010 reporting period, and reports on the extent to which different types of material weaknesses per- sisted among companies. The conclusion discusses the implications of these materi- al weaknesses for auditors, management, and boards of directors.
21AUGUST 2012 / THE CPA JOURNAL
Organization Event Effective Date for Compliance with SOX Section 404 Reporting Requirements
Public Company Auditing Standard (AS) 2, An Audit of Internal Fiscal years ending after November 15, 2004 Accounting Oversight Control over Financial Reporting Performed in Board (PCAOB) Conjunction with an Audit of Financial Statements
SEC Requirement (Press Release, February 24, 2004) ■ Accelerated filers: fiscal year ending after November 15, 2004
■ Nonaccelerated filers and foreign private issuers: fiscal year ending after July 15, 2005
SEC Extension (Press Release, March 2, 2005) Nonaccelerated filers and foreign private issuers: fiscal year ending after July 15, 2006
SEC Extension (Press Release, September 22, 2005) Nonaccelerated filers: fiscal year ending after July 15, 2007
SEC Extension (Press Release, August 9, 2006) ■ Nonaccelerated filers: SOX section 404(a), fiscal year ending after December 15, 2007; SOX section 404(b), fiscal year ending after December 15, 2008
■ Accelerated foreign private issuers: SOX section 404(b), fiscal year ending after July 15, 2007
PCAOB AS 5, An Audit of Internal Control over Financial Fiscal year ending after November 15, 2007 Reporting That Is Integrated with an Audit of Financial Statements, superseded AS 2 (June 12, 2007)
SEC Management Guidance (Press Releases, Management guidance for evaluating and assessing June 27, 2007) internal control over financial reporting (ICFR)
SEC Extension (Press Release, February 1, 2008) Nonaccelerated filers: SOX section 404(b), fiscal years ending after December 15, 2009
SEC Extension (Press Release, October 2, 2009) Nonaccelerated filers: SOX section 404(b), fiscal years ending after June 15, 2010
Congress Dodd-Frank Wall Street Reform and Consumer Permanently exempted nonaccelerated filers from Protection Act of 2010 SOX section 404(b) requirements
EXHIBIT 1 Timeline of Significant Events Related to Internal Control Reporting
2
Background Originally, the SEC required larger pub-
lic companies (i.e., accelerated filers) to com- ply with SOX section 404 starting in 2004. To aid auditors in addressing the new require- ments, the PCAOB issued AS 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, in 2004. The first two
years of implementation came with signifi- cant costs and challenges; in light of the time and resources needed, the PCAOB released AS 5 in 2007, superseding AS 2, with the goal of improving audit efficiency in this area through a top-down approach focusing on significant financial statement accounts. In addition, the SEC extended the compliance dates several times for nonaccelerated filers
(see Exhibit 1). Lastly, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 permanently exempted nonac- celerated filers from the SOX section 404(b) reporting requirements.
Data This article’s analysis is based on data
obtained from Audit Analytics for 2004 to 2010. Because nonaccelerated filers (i.e., companies with a market capitalization less than $75 million) were eventually exempt- ed from SOX section 404(b) reporting requirements, the analysis focuses on accel- erated (i.e., companies with a market cap- italization between $75 million and $700 million) and large accelerated (i.e., com- panies with a market capitalization of at least $700 million) filers. In addition, because external auditors are independent and their reports on ICFR effectiveness are probably more objective than those provided by management, the analysis focuses on external auditors’ reports (SOX section 404[b]).
Analysis Accelerated filers with material weak-
ness by year and filing category. Exhibit 2 presents an analysis of both large accel- erated and accelerated filers with material weaknesses by year and filing category. The result in Exhibit 2 indicates that there is an overall downward trend in the num- ber of companies with material weakness- es over the 2004–2010 period. Public companies were first required to file SOX section 404(b) reports as of November 15, 2004. Approximately 20% of accelerated filers reported material weak-
AUGUST 2012 / THE CPA JOURNAL22
Number of Filers with Percentage of All Filers Year Material Weaknesses in the Filing Category
Panel A: Accelerated Filers
2004 246 20%
2005 281 15%
2006 234 13%
2007 205 11%
2008 123 7%
2009 80 5%
2010 76 5%
Panel B: Large Accelerated Filers
2004 161 12%
2005 179 9%
2006 146 6%
2007 105 5%
2008 45 3%
2009 32 2%
2010 28 1%
EXHIBIT 2 Accelerated Filers with Material Weaknesses, by Year and Filing Category
EXHIBIT 3 Top 10 Types of Material Weakness
MW1: Accounting documentation, policy, or procedures MW11: Material or numerous auditor/year-end adjustments
MW2: Accounting personnel resources and competency/training MW20: Restatement of or nonreliance on company filings
MW19: Untimely or inadequate account reconciliations MW7: Information technology, software, and security and access
MW12: Nonroutine transaction control issues MW14: Restatement of previous SOX section 404 disclosures
MW17: Segregation of duties and design of controls MW9: Journal entry control issues
97.4% 60.9%
51.4% 42.1%
24.8% 20.2% 19.4%
15.0% 14.2%
10.7%
3
nesses in 2004, as opposed to only 12% of large accelerated filers. Although the num- ber of companies with material weakness- es increased in 2005 for both types of accelerated filers, the corresponding per- centages decreased for both types of filers. This is due largely to the fact that, in 2004, only accelerated registrants with fiscal years ending after November 15 were sub- ject to the SOX section 404(b) requirement; on the other hand, all accelerated regis- trants, regardless of fiscal year-end, were subject to the requirement in 2005. Interestingly, both categories of filers expe- rienced a sharp decline in reported mate- rial weaknesses in 2008. This sharp drop may have resulted from the improved guid-
ance of AS 5, which became effective in 2007. It is possible that public companies experienced the intended effect of AS 5 more fully in 2008 than in 2007. In addi- tion, it is very likely that corporations became more adept at designing effective internal control structures and complying with sound internal control practices (i.e., problems were fixed over time).
By 2010, only 1% of large accelerated filers and 5% of accelerated filers had material weaknesses, and material weak- nesses seem to have been significantly remediated from 2004 to 2010. The result reported in Exhibit 2 suggests that mandatory reporting on ICFR led to improvements in the quality of internal control over financial reporting, particularly among large public companies.
Specific material weakness issues. Several internal control issues can give rise to a mate- rial weakness. Audit Analytics uses a 21-item taxonomy to identify these issues. Exhibit 3 shows a ranking of the top 10 issues (collec- tively, over the 2004–2010 period). The rank-
ings for accelerated and large accelerated fil- ers were combined because only negligible differences between the two were observed. The predominant material weakness issue is accounting documentation and policy, fol- lowed by material or numerous auditor/year- end adjustments, and then by accounting personnel resources and competency. On aver- age, 97.4% of all accelerated filers with mate- rial weaknesses had issues related to account- ing documentation and policy. Because this is a critical part of the internal control struc- ture, the consistency and quality of financial statements are likely to be significantly affect- ed by a lack of controls in this area. Many
other controls rely on the existence of prop- er documentation and policy.
Exhibit 4 shows the trend of the top five material weakness issues from 2004 to 2010, broken down by year. The exhibit reveals several salient patterns. The top two issues from 2004 to 2010 have consistent- ly been the following: ■ Accounting documentation, policy, or procedures (MW1) ■ Material or numerous auditor/year- end adjustments (MW11).
Accounting personnel resources and competency/training (MW2) and restate- ment of or nonreliance on company filings
23AUGUST 2012 / THE CPA JOURNAL
Rank 2004 2005 2006 2007 2008 2009 2010
1 MW1 MW1 MW1 MW1 MW1 MW1 MW1
2 MW11 MW11 MW11 MW11 MW11 MW11 MW11
3 MW20 MW20 MW2 MW2 MW2 MW2 MW2
4 MW2 MW2 MW20 MW20 MW7 MW20 MW20
5 MW19 MW19 MW19 MW7 MW19 MW7 MW4
Note: MW1: Accounting documentation, policy, or procedures MW11: Material or numerous auditor/year-end adjustments MW2: Accounting personnel resources and competency/training MW20: Restatement of or nonreliance on company filings MW19: Untimely or inadequate account reconciliations MW7: Information technology, software, and security and access MW4: Inadequate disclosure controls
EXHIBIT 4 Rank of Material Weakness Issues by Year
EXHIBIT 5 Persistent Material Weakness
Accelerated Filers
Large Accelerated Filers
Persistence 1 Persistence 2 Persistence 3 Persistence 4 Persistence 5 or more
50% 31%
12% 5%
2%
54% 27%
12% 5%
2%
Material weaknesses seem to
have been significantly remediated
from 2004 to 2010.
4
(MW20) have consistently appeared to be either the third or fourth most prevalent issues from 2004 to 2010. MW2 ranked fourth in 2004 and 2005, but moved up to third place after 2005; in contrast, MW20 was third on the list until 2005, but dropped to fourth place from 2006 to 2010 (except for 2008).
The increasing pressure on accounting personnel resources is evident in these results, which seems consistent with the emphasis in organizations on lean person- nel resources and deferred training due to diminishing personnel budgets. Inadequate disclosure controls (MW4) rose into the top five for the first time in 2010, possi- bly reflecting the greater monitoring of this area by the SEC.
Consecutive years of material weakness. Exhibit 5 identifies the percentage of compa- nies that experienced consecutive years of material weaknesses (although not necessar- ily the same issues). If a company had mate-
rial weaknesses in only one year, it is count- ed as Persistence 1; if a company had mate- rial weaknesses in two consecutive years, it is counted as Persistence 2; and so on. A surprisingly large number of companies had multiple years of ineffective internal controls and thus persistent material weaknesses.
Exhibit 5 shows that 50% of accelerat- ed filers and 46% of large accelerated fil- ers with material weaknesses reported them for two or more years. Less than 20% of companies had material weaknesses for three or more years, and at least half of the large accelerated and accelerated filers had them for only one year. Thus, it seems that the majority of the companies were able to remediate identified material weaknesses within one or two years. The top three material weaknesses that persisted for three or more consecutive years are MW1, MW11, and MW2. These are the same three material weaknesses that occurred most frequently among all accelerated fil-
ers and in each year examined from 2004 to 2010.
Average number of material weak- nesses. Exhibit 6 reveals that the average number of material weaknesses for accel- erated filers has been declining; this num- ber decreased from 2.5 in 2005 to 1.6 in 2010 for accelerated filers. In contrast, the average number of material weaknesses for large accelerated filers started at 2.4 in 2004, dropped to 2 in 2005, remained rel- atively constant through 2008, increased to 2.8 in 2009, and eventually decreased again to 2.4 in 2010.
A closer look at material weaknesses reported in 2009 by large accelerated filers (Exhibit 7) reveals that the frequency of the presence of MW1, MW11, and MW7 (infor- mation technology, software, and security and access) increased in 2009. In addition, MW4 (inadequate disclosure controls) emerged among the top four issues in 2009 for large accelerated filers. This is consistent with the SEC’s increasing emphasis on dis- closure in recent years.
Implications The number of companies with reported
material weaknesses declined significantly from 2004 to 2010. Companies are strength- ening their internal controls, and existing pro- fessional guidance has become more effec- tive. One practice that became fairly com- mon over the 2004–2010 period was strengthening the internal audit team; inter- nal auditors are now routinely reporting to the audit committee of the board (Raymond Elson and Michael Lynn, “The Impact and Effect of the Sarbanes-Oxley Act on the Internal Audit Profession: Chief Audit Executives’ Perspectives,” Academy of
AUGUST 2012 / THE CPA JOURNAL24
EXHIBIT 7 Top Five Types of Material Weakness
for Large Accelerated Filers (2009)
MW1: Accounting documentation, policy, or procedures
MW11: Material or numerous auditor/year-end adjustments
MW2: Accounting personnel resources and competency/training
MW4: Inadequate disclosure controls
MW7: Information technology, software, and security and access
100%
81%
53%
34%
31%
EXHIBIT 6 Average Number of Material Weaknesses
3.0
2.5 2.0 1.5 1.0 0.5
0 2004 2005 2006 2007 2008 2009 2010
Large Accelerated Filers Accelerated Filers
2.4 2.3
2.5 2.2 2.1
2.3
2.1 2.3
2.8
2.2 2.4
22 1.6
5
Accounting and Financial Studies Journal, vol. 12, no. 1, pp. 59–65, 2008; Lawrence J. Abbott, Susan Parker, and Gary F. Peters, “Serving Two Masters: The Association Between Audit Committee Internal Audit Oversight and Internal Audit Activities, Accounting Horizons, vol. 24, no. 1, pp. 1–24, 2010).
Company size, as reflected by market capitalization, has a bearing on the num- ber of material weaknesses discovered. Large accelerated filers appear to have stronger internal control systems and, thus, fewer incidents of ineffective internal controls than accelerated filers. It seems that the level of resources that a company can commit to internal controls has an important effect on whether it will experi- ence a material weakness. Audit commit- tees should remain aware of the apparent relationship between the resources com- mitted to internal controls and the effec- tiveness of those controls.
As noted above, MW1, MW11, and MW2 in particular persist across years and across accelerated and large accelerated compa- nies. Audit committees and internal auditors should be aware that several issues are the prime culprits in the assessment of internal control effectiveness. Internal audit person- nel and management should stay vigilant in monitoring and evaluating these areas.
It is not certain that internal controls attestation will produce incremental cash flow benefits as a result of process improvements that are normally associated with enhanced internal controls. Yet, a large body of litera- ture suggests a direct correlation between the effectiveness of internal controls and audit fees (Arnold Schneider, Audrey Gramling, Dana Hermanson, and Zhongxia Ye, “A Review of Academic Literature on Internal Control Reporting Under SOX,” Journal of Accounting Literature, vol. 28, pp. 1–46, 2009; Thomas G. Calderon, Li Wang, and Tom Klenotic, “Past Control Risk and Current Audit Fees,” Managerial Auditing Journal, forthcoming). Thus, it seems plau- sible that audit committees and internal audi- tors could help reduce their companies’ audit and related professional fees by continuing to nurture their internal control systems.
Material weaknesses persist longer for smaller accelerated filers; this is not surpris- ing, given the comparably limited resources available to such entities. Larger corporations exhibit less persistent material weaknesses;
this is consistent with access to greater resources. It is incumbent upon current and prospective boards of directors to be aware of likely areas of material weaknesses and
their overall implications for corporate gov- ernance. Board members and audit com- mittees should review all material weak- ness findings, but they should pay particu- lar attention to the three predominant inter- nal control issues that commonly challenge corporations of all sizes. In doing so, board
members should work closely with internal audit units; a direct relationship between the internal audit function and the audit com- mittee of the board enhances a corporation’s control structure and can minimize internal control problems (Schneider 2009).
Internal auditors and a company’s audit committee must stay abreast of requirements in the continuously evolving reporting environment. The PCAOB’s AS 5, the SEC’s guidance regarding management’s report on ICFR, and the requirements of the Dodd-Frank Act illustrate the changing nature of this dynamic area. ❑
Thomas G. Calderon, PhD, is a professor of accountancy, Li Wang, PhD, CPA, CMA, is an assistant professor, and Edward J. Conrad, PhD, is an associate professor, all at the George W. Daverio School of Accountancy, the University of Akron, Akron, Ohio. The authors wish to thank Diane Jules for her feedback on this article.
25AUGUST 2012 / THE CPA JOURNAL
It seems that the level of resources that a company can commit to
internal controls has an important effect on whether it will experience
a material weakness.
6
JULY 2010 / THE CPA JOURNAL30
By Audrey A. Gramling, Dana R. Hermanson, Heather M. Hermanson, and Zhongxia (Shelly) Ye
O ne of the fundamental elements of effective internal control is segre- gation of duties, meaning that a
process is divided among several people. As such, no single person can take advantage of the situation for personal gain or other impropriety. Although segregation of duties is prevalent in larger, more bureaucratic organizations, it can present a challenge for smaller companies with limited person- nel and constrained resources.
Newly available data can shed light on the problems smaller companies face in the segregation of duties. Specifically, the seg- regation of duties material weaknesses disclosed by smaller companies under Sarbanes-Oxley (SOX) section 404(a) for the 2008 fiscal year are analyzed below. SOX section 404(a) requires management to pro- vide its assessment of the effectiveness of internal control over financial reporting and to disclose any material weaknesses in inter- nal control. Smaller reporting companies do not yet have to comply with SOX section 404(b), which requires an auditor’s opinion on the company’s internal controls.
This article explores the types of small- er companies with segregation of duties problems; the nature of the weaknesses, including specific accounting areas affect- ed and any compensating controls; possi- ble solutions; and the sample companies’ efforts to remediate these weaknesses.
Sample Companies The Audit Analytics database was used
to identify smaller companies with mate- rial weaknesses related to segregation of duties. Specifically, companies with the fol- lowing characteristics were selected: ■ The Sarbanes-Oxley section 404(a) management report on internal controls
indicated ineffective controls (at least one material weakness exists). ■ One of the reasons listed was “IC— Segregations of duties/Design of controls (personnel)” (the material weakness involves a segregation of duties problem).
■ The fiscal year was 2008. ■ The company’s market value was less than $75 million (the cutoff for smaller reporting companies is $75 million of pub- lic float). ■ The company was U.S.-based.
These criteria yielded 358 small com- panies with segregation of duties materi- al weaknesses disclosed by management, out of approximately 700 smaller com- panies with ineffective internal controls due to any type of material weakness. (A similar search of large companies [market value greater than $75 million]
yielded less than 30 larger companies with segregation of duties material weakness- es. Thus, segregation of duties problems appear to be mainly a small company issue.) These 358 small companies were sorted by name and the first one-third of
the management reports were analyzed, ultimately resulting in a sample of 116 companies.
Exhibit 1 presents descriptive informa- tion on the 116 sample companies. Their median market value was under $5 mil- lion, and their median assets were just over $1 million. Many of the companies also appear to be in the startup stage, as 42 have no revenues (median revenues were under $100,000), and the median net loss was nearly $1.3 million. The industry mix was weighted toward manufacturing and service companies. The median total num-
Addressing Problems with the Segregation of Duties in Smaller Companies
A C C O U N T I N G & A U D I T I N G i n t e r n a l c o n t r o l s
15
ber of material weaknesses reported by each company was two, ranging from one to eight.
Nature of the Segregation of Duties Weaknesses
The authors analyzed the management report on internal control for each of the 116 sample companies in order to understand the nature of the segregation of duties weak- nesses. The reports differ in their level of disclosure, with some companies in order providing limited, boilerplate language and others providing in-depth discussions of their material weaknesses, compensating controls, and present and future remediation efforts.
As shown in Exhibit 2, the vast major- ity of companies described their segrega- tion of duties weaknesses as too few employees (90 companies). A significant number (22 companies) did not discuss the specifics of the problem. Seven companies indicated that they have only one or two officers or directors.
Some companies mentioned specific accounting areas affected by the segrega- tion of duties material weaknesses. The most commonly mentioned areas were cash disbursements, cash, accounts payable/invoice approval, purchases, and period-end closing. It is clear that the pri- mary area of concern is the disbursement cycle, where a lack of segregation of duties can result in unauthorized purchases and payments. (See the Association of Certified Fraud Examiners’ [ACFE] 2008 Report to the Nation on Occupational Fraud and Abuse, www.acfe.com/documents/ 2008-rttn.pdf, for details on the prevalence of disbursement frauds.)
Some companies discussed compensat- ing controls that may partially mitigate the segregation of duties problem. The two most commonly mentioned compensating controls were management, board, or other independent reviews and reconciliations, and third-party reviews. Thus, additional review, whether done by company insid- ers or third parties, is the key compensat- ing control cited by management.
Resolving Segregation of Duties Problems
Several entities and commentators offer guidance and suggestions for addressing segregation of duties challenges, especial- ly for small companies.
Adding more people. One obvious solu- tion to segregation of duties weaknesses is to add more people to the organization. It is difficult to offer a general rule regarding how many people are needed for an appropriate segregation of duties, as the number needed will depend on the com- pany setting, the specific processes involved, the skill levels of the employees, and a host of other factors.
There is some debate about whether adding more people is an optimal solution. For example, the University of Colorado policy manual asserts that adding more people is typically the best solution, but recognizes that it is not always feasible (www.cu.edu/security/ps/INTERNAL_ CONTROLS.HTML):
Compensating Controls are less desirable than separation of duties because they gen- erally occur after the transaction is com- plete (post audit). Relying completely on compensating controls is less desirable than
separation of duties because it takes more resources to investigate and correct errors, and recover losses, than it does to prevent them. However, in some circum- stances, departments do not have the staff resources to establish adequate separation of duties, so they have no choice in the matter. In these instances, it is important for management to implement controls that compensate for the increased risk. In contrast, a common theme among many
commentators appears to be that hiring more employees may not be the best solution to segregation of duties material weaknesses. Rather, many suggest that companies focus on reducing risk in crucial areas. As the Committee of Sponsoring Organizations of the Treadway Commission (COSO) states in its 2006 Internal Control over Financial Reporting—Guidance for Smaller Public Companies (p. 5), “Segregation of duties is not an end in itself, but rather a means of mit- igating risk inherent in processing.”
31JULY 2010 / THE CPA JOURNAL
Company Size* Median
Market Value $4,923,425
Revenues $ 81,150
Assets $1,066,443
Net Income −$1,274,507
SIC Codes Companies
0000-1999 Agriculture, Mining, and Construction 18
2000-3999 Manufacturing 33
4000-4999 Transportation and Communication 8
5000-5999 Wholesale and Retail 8
6000-6999 Financial, Insurance, and Real Estate 8
7000-8999 Services 36
9995 Nonoperating 5
Total 116
Total Number of Material Weaknesses
Median number of material weaknesses per company 2
Range of material weaknesses per company 1–8
* Not all companies reported figures in this section; 42 companies reported revenues of 0.
EXHIBIT 1 Sample of Smaller Companies with Material Weaknesses
Related to Segregation of Duties (116 Companies)
16
Beyond adding more people, profession- al guidance tends to focus on four other types of solutions: rotation of duties; manage- ment oversight; third-party involvement; and top-down, risk-based analysis. Some com- bination of these solutions may be the best alternative for many small businesses.
Rotation of duties. Some companies that may not have the ability to add people can peri- odically rotate duties among existing person- nel. The ACFE’s 2008 report highlighted the effectiveness of job rotation and mandatory vacation in reducing fraud losses. Organizations using job rotation or mandatory vacation had median fraud losses that were more than 60% lower than companies that did not use job rota-
tion or mandatory vacation. Fraud investiga- tor Joseph Wells also points to job rotation as a key fraud deterrent, but recognizes that job rotation may be difficult for some very small organizations to employ (“The Case of the Pilfering Purchasing Manager,” Journal of Accountancy, May 2004).
Management oversight. Some small businesses may need to rely on greater man- agement involvement in day-to-day activities. For instance, COSO’s 2006 internal control guidance states:
Resource constraints may limit the num- ber of employees, sometimes resulting in concerns regarding segregation of duties. There are, however, actions man-
agement can take in order to compen- sate for potential inadequacy. These include managers reviewing system reports of detailed transactions; select- ing transactions for review of support- ing documents; overseeing periodic counts of physical inventory, equipment or other assets and comparing them with accounting records; and reviewing rec- onciliations of account balances or per- forming them independently. In many small companies managers already are performing these and other procedures supporting reliable reporting, and cred- it should be taken for their contribution to effective internal control. (p. 4) Thus, COSO primarily points to addi-
tional management review and reconcilia- tions to bolster controls when segregation of duties is lacking. If management review is used as a key control, however, it is crit- ical that the managers have appropriate knowledge of accounting and understand- ing of the underlying transactions that they are reviewing.
The SEC’s Advisory Committee on Smaller Public Companies offers a simi- lar perspective in its 2006 final report (www.sec.gov/info/smallbus/acspc/acspc- finalreport.pdf), calling for senior man- agement to be directly involved when seg- regation of duties is weak:
In smaller companies, people wear mul- tiple hats … The result is that segrega- tion of duties, a key element of effective internal control, may not be achievable to the extent desired. This lack of segre- gation of duties requires senior manage- ment to be involved in all material trans- actions and directly involved in financial reporting. (pp. 35–36) Management’s daily involvement in
material transactions can serve to mitigate segregation of duties issues. Management can rely on exception reporting to highlight areas for further review. For example, the company’s information system can gener- ate reports of disbursements over a cer- tain threshold or disbursements to unrec- ognized vendors for management review. In addition, regular analytical review pro- cedures also may help highlight unusual trends. For example, most businesses should have fairly stable gross profit and operating profit relationships. Being famil- iar with key operating figures and ratios should help management identify abnor-
JULY 2010 / THE CPA JOURNAL32
Nature of Segregation of Duties Material Weaknesses* Companies
Not enough people 90
Nonspecific segregation of duties problem 22
Only have 1–2 officers or directors 7
Other 2
Specific Areas or Accounts Mentioned
Cash disbursements 6
Cash 5
Accounts payable/invoice approval 3
Purchases 3
Period-end closing process 3
Compensating Controls Mentioned
Management/board review, independent reviews, and reconciliations 14
Third-party review 4
* Some companies are reflected in more than one category.
EXHIBIT 2 Summary of Weaknesses Related to Segregation of Duties
(116 companies)
COSO primarily points to additional management
review and reconciliations to bolster controls
when segregation of duties is lacking.
17
33JULY 2010 / THE CPA JOURNAL
mal shifts in key accounts. Regular use of horizontal and vertical analysis should pro- vide management with an understanding of baseline performance, enhancing the opportunity to detect problems.
A common theme is that management must have financial expertise if the busi- ness is going to rely on management over- sight in lieu of traditional segregation of duties. In addition, a business may derive greater benefits from a more informed management team than from additional employees hired purely to resolve segre- gation of duties conflicts. Consistent with this notion, a recent GAO report, Sarbanes- Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies (www.gao. gov/new.items/d06361.pdf), suggests that active management involvement is as effec- tive and efficient as other types of controls:
According to COSO, however, some of the unique characteristics of smaller companies create opportunities to more efficiently achieve effective internal con- trol over financial reporting and more efficiently evaluate internal control which can facilitate compliance with sec- tion 404. These opportunities can result from more centralized management oversight of the business, and greater exposure and transparency with the senior levels of the company that often exist in a smaller company. For instance, management’s hands-on approach in smaller companies can create opportu- nities for less formal and less expen- sive communications and control procedures without decreasing their quality. To the extent that smaller com- panies have less complex product lines and processes, and/or centralized geo- graphic concentrations in operations, the process of achieving and evaluating effective internal control over financial reporting could be simplified. (p. 19) Third-party involvement. Others point
to third-party involvement as a potential solution to segregation of duties weak- nesses. The PCAOB’s 2009 Guidance for Auditors of Smaller Public Companies addresses this issue:
Use of external parties also can help achieve segregation of certain incom- patible duties without investing in addi- tional full-time resources … Consultants, other professionals, or temporary
employees can assist companies in per- forming some controls or other duties. For more complex or specialized por- tions of internal control, such as cash receipts handling, payroll processing, or securities recordkeeping, the compa- ny might use an external party to per- form an entire function. (p. 25) One potential third party to consider is
an external CPA. Eve E. Brown, in “Five Common Mistakes of Small Business Owners” (www.sbrn.org/Connections/ 05_00_Five_Common_Mistakes.htm), sug- gests that small-business owners:
Find a professional you’re comfortable with and use their knowledge to make your busi- ness run smoothly. Involving your CPA as a “partner” in your business allows him
or her to analyze your situation and estab- lish an accounting system that works for your business. … This effort can be as sim- ple as having your bank statements sent directly to your CPA before passing them along to your bookkeeper. If your CPA doesn’t scrutinize the statements, a quick review can sometimes uncover unusual entries or trends. You should also obtain the necessary reports at month’s end that tie all financial activity together for that time period. These reports let you see where you stand month to month and reveal any mistakes or financial misconduct. When considering the use of third par-
ties, it is important to analyze the costs and benefits of using third parties as compared to hiring an additional person or using more direct management involvement.
Top-down, risk-based analysis. Many software companies and IT auditors focus
particular attention on segregation of duties issues. Several companies offer software products that identify incompatible sys- tem duties held by the same individual. These companies typically develop large matrices to document all possible duties and highlight every conflict. While this technique was popular during the early stages of SOX implementation, many argue that a focus on a matrix of incompatible duties puts too much focus on noncrucial conflicts, draining resources from key risk areas. As a result, many auditors are tout- ing a risk-based approach (“Segregation of Duties in the Real World,” Oversight Systems, www.oversightsystems.com/ whitepapers/Real_World_SoDs_060 808.pdf):
Rather than approaching every SOD [segregation of duties] conflict with equal importance, risk-based segregation considers each conflict in the context of its effect on financial integrity and the likelihood of actual violations. (p. 4) Similarly, Nick Stone, corporate audit
manager of Cree Inc., calls for IT audi- tors to use a risk-based approach to eval- uating segregation of duties conflicts that they identify in their companies’ systems (“Simplifying Segregation of Duties,” Internal Auditor, April 2009):
In many organizations, responsibility for testing SOD is relegated to the IT audi- tor — for better or worse. The reasoning behind this assignment correlates SOD controls to logical system access. While not incorrect, this knee-jerk response over- looks the importance of understanding business risks and existing controls already
Segregation of duties weaknesses must be considered within the broader
context of key business risks and compensating controls.
18
in place to address those risks. IT audi- tors traditionally assigned SOD testing (or control design) should rise above nuanced logical access settings and understand the business in a way that facilitates more practical control mechanisms and more efficient audit procedures … Instead of starting with these automated tools, auditors should consider putting the scripts down (at least for now) and focusing on understanding the few critical risks that need to be controlled. Once these risks are understood, scripts can be used on a tar- geted basis to streamline SOD testing. Thus, segregation of duties weaknesses
must be considered within the broader con- text of key business risks and compensat- ing controls.
Once these key risk areas are identi- fied, management should ask the follow- ing questions, implementing segregation of duties where appropriate:
■ Are sensitive transactions document- ed/mapped so that each step is clearly understood?
■ Are key points in the transaction pro- cesses identified where one person’s ability to perform tasks ends and another’s begins? ■ Are employees in sensitive positions properly vetted? ■ Are processes in place to adjust sys- tem access when employees change roles within the organization? ■ Are employees who handle sensitive information required to take mandatory vacations, or are they required to change roles periodically (rotation of duties)? (“Segregation of Duties and Oversight Controls Gone Wrong,” Tom Olzak, it.toolbox.com, January 27, 2008)
Companies’ Remediation Efforts As shown in Exhibit 3, many of the
116 companies’ management reports on internal control also discuss the sta- tus of any remediation efforts. Upon analysis, many of these efforts are con- sistent with the guidance discussed above.
Nineteen companies had already taken some steps to remediate their weaknesses. The most common steps taken were using third parties (outside firms or con- sultants) to perform accounting tasks, hir- ing more people, performing more inde- pendent reconciliations or reviews, and reviewing the situation to develop a spe- cific plan.
Thirty-two companies indicated that they plan to make improvements in the future. The most common changes they planned to make were hiring more people, per- forming more independent reconciliations or reviews, using third parties to perform accounting tasks, reassigning roles and responsibilities, and enhancing their pro- cedures.
In many cases, a company was not able to address the weakness. Thirty-seven companies indicated that they would change things if they had more resources, and 11 companies stated that they were unlikely to make changes, given cost-ben- efit considerations.
Aiming for Effective Controls The authors’ analysis of newly available
data mandated by SOX indicates that many smaller companies are dealing with segre- gation of duties weaknesses, typically stem- ming from having a limited number of staff. While adding more staff is one obvious solution to the problem, it is not always feasible. Other possible solutions include rotation of duties, management oversight, use of third parties to supple- ment in-house staff, and using a top-down, risk-based analysis to identify incompati- ble duties and then thinking about these issues with respect to important business risks and compensating controls. The bot- tom line is getting to effective internal con- trols, whether through segregation of duties or other forms of control that can offset segregation of duties limitations. ❑
Audrey A. Gramling, PhD, CPA, CIA, is an associate professor, Dana R. Hermanson, PhD, is the Dinos Eminent Scholar Chair of Private Enterprise and professor, Heather M. Hermanson, PhD, is a temporary faculty member, and Zhongxia (Shelly) Ye, PhD, is an assis- tant professor, all at Kennesaw State University, Kennesaw, Ga.
JULY 2010 / THE CPA JOURNAL34
Remediation Status* Companies
Would change if had more financial resources 37
Plan to do something, but have not started (not cost issues) 32
None mentioned 25
Have done some remediation 19
Unlikely to change given cost-benefit considerations 11
Remediation Steps Already Taken
Used third parties to perform accounting tasks 7
Hired more people 5
Performed more independent reconciliations or reviews 3
Reviewing the situation, and developing a plan 3
Remediation Steps Planned in Future
Hire more people 8
Perform more independent reconciliations or reviews 8
Use third parties to perform accounting tasks 4
Reassign roles and responsibilities 2
Enhance procedures 2
* Some companies are reflected in more than one category.
EXHIBIT 3 Efforts to Remediate Weaknesses Related to Segregation of Duties
(116 companies)
19