SOX: Potential Changes to Internal Control Over Financial Reporting

Norman Marks

As I open my email these days, I see people suggesting that we are about to enter a new era of assessments for SOX (Sarbanes-Oxley Section 404).

Some are excited; some are in despair.

Some are keen to jump on a new bandwagon and sell seats at classes on assessing internal control over financial reporting using COSO 2013 (COSO is preparing to issue an update of its 1992 landmark Internal Control Framework).

Others are lamenting the advent of a checklist-approach to SOX assessment that they believe is implicit in the drafts of COSO 2013.

A few continue their quixotic attempts to brand the COSO Internal Control Framework (ICF) as inept, preferring a totally different approach.

So let me see if I can bring some sanity to this excited confusion.

In my opinion, the 1992 ICF provides a reasonable basis for SOX assessments. What people have overlooked in their haste to criticize is that it requires a risk-based approach! The Risk Assessment component asks that you identify and assess sources of risk to your objectives (in the case of SOX, the objective is financial statements that are free of material error) before selecting the controls to address those risks.

Those who criticize COSO ICF as failing should look, not to any defect in the framework, but to defects in its use – by external auditors and those influenced by them.

The quixotic point out, correctly, that the greatest risks lie in areas that are not given the attention they should: such as the integrity of management and the skills and competencies of those involved in financial reporting (including those responsible for compliance with accounting rules and for tax accounting).

But these are areas included in the Control Environment component. The fault, if fault exists, is that insufficient attention is paid to the Control Environment and too much is paid to detailed business process controls that reside in the Control Activity component.

While most organizations and their external auditors spend the great majority of their time testing detailed controls, very few material weaknesses are uncovered there. In fact, when they do find important issues during that testing, the root cause is typically a failing in the Control Environment activities related to staff competencies.

If I may, I believe any defect in SOX assessment processes has been a deficiency in the use of judgment to understand each organization’s sources of risk to the financial statements – a deficiency in the attention paid to the Risk Assessment component and to the activities in the Control Environment component.

So, COSO 1992 still works for me. But will 2013 augur a change in approach? Will it reduce us from using our judgment to relying on a checklist?

The jury is still out, as we don’t know what the COSO Board is going to do. The signs are not promising, as the last draft continued to be unclear on the role of judgment vs. assessing internal control based on the presence of defined principles (which is the checklist approach). In addition, the supplementary documents that were designed to help with an assessment are entirely checklist-based.

Any class that is offered today on assessing SOX using COSO 2013 should be viewed with great skepticism. How can you teach something that is not yet final – and whose drafts may be changed significantly?

I hope that the COSO Board continues to listen to those (including me) who promote the continued use of a top-down and risk-based approach to assessing internal control – especially internal control over financial reporting. Judgment rather than a checklist is the only way to go.

Guidance specifically for SOX should embody the top-down and risk-based approach, demonstrating with examples how the process explained in SEC guidance and in PCAOB Auditing Standard Number 5 is followed using COSO ICF.

It should start with Risk Assessment, the identification of sources of risk (significant accounts and locations, etc.) and continue with the identification of key controls – which may exist in at any level of the organization and are found in Control Environment, Control Activities, Information and Communication, and possibly in Monitoring.

So, I would not enroll in classes in COSO 2013, nor would I despair (yet) about COSO 2013. All I would do is encourage everybody to lobby COSO to stress judgment over checklists and to promote the top-down and risk-based approach to assessing internal control.

I welcome your comments.




Recommended for you:

13 Scary Statistics On Employee Engagement [INFOGRAPHIC]

Jacob Shriar

There is a serious problem with the way we work.

Most employees are disengaged and not passionate about the work they do. This is costing companies a ton of money in lost productivity, absenteeism, and turnover. It’s also harmful to employees, because they’re more stressed out than ever.

The thing that bothers me the most about it, is that it’s all so easy to fix. I can’t figure out why managers aren’t more proactive about this. Besides the human element of caring for our employees, it’s costing them money, so they should care more about fixing it. Something as simple as saying thank you to your employees can have a huge effect on their engagement, not to mention it’s good for your level of happiness.

The infographic that we put together has some pretty shocking statistics in it, but there are a few common themes. Employees feel overworked, overwhelmed, and they don’t like what they do. Companies are noticing it, with 75% of them saying they can’t attract the right talent, and 83% of them feeling that their employer brand isn’t compelling. Companies that want to fix this need to be smart, and patient. This doesn’t happen overnight, but like I mentioned, it’s easy to do. Being patient might be the hardest thing for companies, and I understand how frustrating it can be not to see results right away, but it’s important that you invest in this, because the ROI of employee engagement is huge.

Here are 4 simple (and free) things you can do to get that passion back into employees. These are all based on research from Deloitte.

1.  Encourage side projects

Employees feel overworked and underappreciated, so as leaders, we need to stop overloading them to the point where they can’t handle the workload. Let them explore their own passions and interests, and work on side projects. Ideally, they wouldn’t have to be related to the company, but if you’re worried about them wasting time, you can set that boundary that it has to be related to the company. What this does, is give them autonomy, and let them improve on their skills (mastery), two of the biggest motivators for work.

Employees feel overworked and underappreciated, so as leaders, we need to stop overloading them to the point where they can’t handle the workload.

2.  Encourage workers to engage with customers

At Wistia, a video hosting company, they make everyone in the company do customer support during their onboarding, and they often rotate people into customer support. When I asked Chris, their CEO, why they do this, he mentioned to me that it’s so every single person in the company understands how their customers are using their product. What pains they’re having, what they like about it, it gets everyone on the same page. It keeps all employees in the loop, and can really motivate you to work when you’re talking directly with customers.

3.  Encourage workers to work cross-functionally

Both Apple and Google have created common areas in their offices, specifically and strategically located, so that different workers that don’t normally interact with each other can have a chance to chat.

This isn’t a coincidence. It’s meant for that collaborative learning, and building those relationships with your colleagues.

4.  Encourage networking in their industry

This is similar to number 2 on the list, but it’s important for employees to grow and learn more about what they do. It helps them build that passion for their industry. It’s important to go to networking events, and encourage your employees to participate in these things. Websites like Eventbrite or Meetup have lots of great resources, and most of the events on there are free.

13 Disturbing Facts About Employee Engagement [Infographic]

What do you do to increase employee engagement? Let me know your thoughts in the comments!

Did you like today’s post? If so you’ll love our frequent newsletter! Sign up here and receive The Switch and Shift Change Playbook, by Shawn Murphy, as our thanks to you!

This infographic was crafted with love by Officevibe, the employee survey tool that helps companies improve their corporate wellness, and have a better organizational culture.


Recommended for you:

Supply Chain Fraud: The Threat from Within

Lindsey LaManna

Supply chain fraud – whether perpetrated by suppliers, subcontractors, employees, or some combination of those – can take many forms. Among the most common are:

  • Falsified labor
  • Inflated bills or expense accounts
  • Bribery and corruption
  • Phantom vendor accounts or invoices
  • Bid rigging
  • Grey markets (counterfeit or knockoff products)
  • Failure to meet specifications (resulting in substandard or dangerous goods)
  • Unauthorized disbursements

LSAP_Smart Supply Chains_graphics_briefook inside

Perhaps the most damaging sources of supply chain fraud are internal, especially collusion between an employee and a supplier. Such partnerships help fraudsters evade independent checks and other controls, enabling them to steal larger amounts. The median loss from fraud committed
by a single thief was US$80,000, according to the Association of Certified Fraud Examiners (ACFE).

Costs increase along with the number of perpetrators involved. Fraud involving two thieves had a median loss of US$200,000; fraud involving three people had a median loss of US$355,000; and fraud with four or more had a median loss of more than US$500,000, according to ACFE.

Build a culture to fight fraud

The most effective method to fight internal supply chain theft is to create a culture dedicated to fighting it. Here are a few ways to do it:

  • Make sure the board and C-level executives understand the critical nature of the supply chain and the risk of fraud throughout the procurement lifecycle.
  • Market the organization’s supply chain policies internally and among contractors.
  • Institute policies that prohibit conflicts of interest, and cross-check employee and supplier data to uncover potential conflicts.
  • Define the rules for accepting gifts from suppliers and insist that all gifts be documented.
  • Require two employees to sign off on any proposed changes to suppliers.
  • Watch for staff defections to suppliers, and pay close attention to any supplier that has recently poached an employee.

About Lindsey LaManna

Lindsey LaManna is Social and Reporting Manager for the Digitalist Magazine by SAP Global Marketing. Follow @LindseyLaManna on Twitter, on LinkedIn or Google+.


Recommended for you:

The Future Of Supplier Collaboration: 9 Things CPOs Want Their Managers To Know Now

Sundar Kamak

As a sourcing or procurement manager, you may think there’s nothing new about supplier collaboration. Your chief procurement officer (CPO) most likely disagrees.
Forward-thinking CPOs acknowledge the benefit of supplier partnerships. They not only value collaboration, but require a revolution in how their buying organization conducts its business and operations. “Procurement must start looking to suppliers for inspiration and new capability, stop prescribing specifications and start tapping into the expertise of suppliers,” writes David Rae in Procurement Leaders. The CEO expects it of your CPO, and your CPO expects it of you. For sourcing managers, this can be a lot of pressure.

Here are nine things your CPO wants you to know about how supplier collaboration is changing – and why it matters to your company’s future and your own future.

1. The need for supplier collaboration in procurement is greater than ever

Over half (65%) of procurement practitioners say procurement at their company is becoming more collaborative with suppliers, according to The Future of Procurement, Making Collaboration Pay Off, by Oxford Economics. Why? Because the pace of business has increased exponentially, and businesses must be able to respond to new market demands with agility and innovation. In this climate, buyers are relying on suppliers more than ever before. And buyers aren’t collaborating with suppliers merely as providers of materials and goods, but as strategic partners that can help create products that are competitive differentiators.

Supplier collaboration itself isn’t new. What’s new is that it’s taken on a much greater urgency and importance.

2. You’re probably not realizing the full collective power of your supplier relationships

Supplier collaboration has always been a function of maintaining a delicate balance between demand and supply. For the most part, the primary focus of the supplier relationship is ensuring the right materials are available at the right time and location. However, sourcing managers with a narrow focus on delivery are missing out on one of the greatest advantages of forging collaborative supplier partnerships: an opportunity to drive synergies that are otherwise perceived as impossible within the confines of the business. The game-changer is when you drive those synergies with thousands, not hundreds of suppliers. Look at the Apple Store as a prime example of collaboration en masse. Without the apps, the iPhone is just another ordinary phone!

3. Collaboration comes in more than one flavor

Suppliers don’t just collaborate with you to provide a critical component or service. They also work with your engineers to help ensure costs are optimized from the buyer’s perspective as well as the supplier’s side. They may even take over the provisioning of an entire end-to-end solution. Or co-design with your R&D team through joint research and development. These forms of collaboration aren’t new, but they are becoming more common and more critical. And they are becoming more impactful, because once you start extending any of these collaboration models to more and more suppliers, your capabilities as a business increase by orders of magnitude. If one good supplier can enable your company to build its brand, expand its reach, and establish its position as a market leader – imagine what’s possible when you work collaboratively with hundreds or thousands of suppliers.

4. Keeping product sustainability top of mind pays off

Facing increasing demand for sustainable products and production, companies are relying on suppliers to answer this new market requirement.

As a sourcing manager, you may need to go outside your comfort zone to think about new, innovative ways to collaborate for achieving sustainability. Recently, I heard from an acquaintance who is a CPO of a leading services company. His organization is currently collaborating with one of the largest suppliers in the world to adhere to regulatory mandates and consumer demand for “lean and green” lightbulbs. Although this approach was interesting to me, what really struck me was his observation on how this co-innovation with the supplier is spawning cost and resource optimization and the delivery of competitive products. As reported by Andrew Winston in The Harvard Business Review, Target and Walmart partnered to launch the Personal Care Sustainability Summit last year. So even competitors are collaborating with each other and with their suppliers in the name of sustainability.

5. Co-marketing is a win-win

Look at your list of suppliers. Does anyone have a brand that is bigger than your company’s? Believe it or not, almost all of us do. So why not seize the opportunity to raise your and your supplier’s brand profile in the marketplace?

Take Intel, for example. The laptop you’re working on right now may very well have an “Intel inside” sticker on it. That’s co-marketing at work. Consistently ranked as one of the world’s top 100 most valuable brands by Millward Brown Optimor, this largest supplier of microprocessors is world-renowned for its technology and innovation. For many companies that buy supplies from Intel, the decision to co-market is a strategic approach to convey that the product is reliable and provides real value for their computing needs.

6. Suppliers get to choose their customers, too

Increased competition for high-performing suppliers is changing the way procurement operates, say 58% of procurement executives in the Oxford Economics study. Buyers have a responsibility to the supplier – and to their CEO – to be a customer of choice. When the economy is going well, you might be able to dictate the supplier’s goods and services – and sometimes even the service delivery model. When times get tough (and they can very quickly), suppliers will typically reevaluate your organization’s needs to see whether they can continue service in a fiscally responsible manner. To secure suppliers’ attention in favorable and challenging economic conditions, your organization should establish collaborative and mutually productive partnerships with them.

7. Suppliers can help simplify operations

Cost optimization will always be one of your performance metrics; however, that is only one small part of the entire puzzle. What will help your organization get noticed is leveraging the supplier relationship to innovate new and better ways of managing the product line and operating the business while balancing risk and cost optimization. Ask yourself: Which functions are no longer needed? Can they be outsourced to a supplier that can perform them better? What can be automated?

8. Suppliers have a better grasp of your sourcing categories than you do

Understand your category like never before so that your organization can realize the full potential of its supplier investments while delivering products that are consistent and of high quality. How? By leveraging the wisdom of your suppliers. To be blunt: they know more than you do. Tap into that knowledge to gain a solid understanding of the product, market category, suppliers’ capabilities, and shifting dynamics in the industry, If a buyer does not understand these areas deeply, no amount of collaboration will empower a supplier to help your company innovate as well as optimize costs and resources.

9. Remember that there’s something in it for you as well

All of us want to do strategic, impactful work. Sourcing managers with aspirations of becoming CPOs should move beyond writing contracts and pushing PO requests by building strategic procurement skill sets. For example, a working knowledge in analytics allows you to choose suppliers that can shape the market and help a product succeed – and can catch the eye of the senior leadership team.

Sundar Kamak is global vice president of solutions marketing at Ariba, an SAP company.

For more on supplier collaboration, read Making Collaboration Pay Off, part of a series on the Future of Procurement, by Oxford Economics.


Recommended for you:

Three Reasons Why The Internet Of Things Is Showing Hockey Stick Growth

Paul Clark

The already massive amount of data being produced daily is going to proliferate with the growth of the Internet of Things (IoT). An innovative infrastructure must be able to accommodate the billions of connected devices being introduced worldwide that will generate unfathomable amounts of data.

“Within the next three years, the data created by IoT devices will reach 403 trillion gigabytes annually.”
– 99 Mind-Blowing Ways the Digital Economy is Changing the Future of Business, Source: Cisco, Global Cloud Index

Less than five years ago, Big Data was thought of as a data management challenge. Today, supercomputing power is everywhere, microprocessors are in every device, computers can be scaled as needed, and in-memory, real-time computing solutions are revolutionizing business software. As a result, data volumes are expected to grow to 6 billion petabytes, including unstructured data such as social networking and low-level IoT data.

The concept of IoT is not new, but what is new are the factors contributing to the popularity of IoT. The SAP eBook, Digital Disruption: How Digital Technology is Transforming Our World, says the extensive growth in the IoT market is due to three main factors:

  1. Inexpensive sensors. The cost of product sensors has dropped dramatically, allowing even startups to easily create innovative IoT product applications.
  1. Stronger computing power. Analytics and in-memory computing solutions enable the computing power necessary to gain insightful meaning from big data and data lakes in real time.
  1. Internet protocol IPv6. The new IPv6 enables immense IoT expansion by increasing IP addresses from 32 bits to 128 bits, which could support up to 78 octillion Internet addresses, allowing an almost unlimited number of people, processes, data, and things to be connected to the Internet.

How to manage it all

As everything becomes more connected, how will we use and manage this unprecedented amount of data? Data management and in-memory computing solutions are increasingly essential tools. They enable companies to unlock immense value from the volumes of data being collected from an escalating number of sources such as product sensors, mobile devices, machines, asset monitors, computers, and social media platforms.

New advances in in-memory computing technology delivering enriched interactive analytics will make it easier for businesses to combine structured transactional data from existing applications with new contextual data from multiple other sources, including IoT applications.

As the number of IoT sensors increases, the amount of information created from this exponential growth in IoT is sure to bring new meaning to the term “Big Data.”

Learn more about IoT, data analytics, and other facets of digital transformation in the SAP eBook Digital Disruption: How Digital Technology is Transforming Our World.


About Paul Clark

Paul Clark is responsible for developing and executing partner marketing strategies, activities, and programs in joint go-to-market plans with global technology partners. The goal is to increase opportunities, pipeline, and revenue through demand generation via SAP's global and local partner ecosystems.

Recommended for you: