The Magic Words: Internal Control Structure and Procedures In 1985, inspired by an alarming increase in fraudulent corporate financial reporting, a consortium of the largest accounting professional associations formed the National Commission on Fraudulent Financial Reporting, more commonly referred to as The Treadway Commission. Each member of the consortium also participates in a supporting organization, COSO “ literally, the Counsel of Supporting Organizations. COSO works on ethical and professional issues for the accounting profession. Periodically, it comes out with a report. These reports and their recommendations have a powerful self-governing influence on accountants.

In a 1992 report, COSO defined the ambiguous phrase internal control: Internal control is broadly defined a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1) effectiveness and efficiency of operations; 2) reliability of financial reporting; 3) compliance with applicable laws and regulations.

To be expressed as written policy and for tracking and reporting purposes, the COSO report states that internal control process manifests as a framework. COSO identifies eight core elements in its integrated framework for internal control. 404 specifically calls for just such an internal control structure that management has to describe and adjudge as to its effectiveness in the companys annual report. The SEC mentions COSO by name in its rules for 404, and declines making it the official legal standard only because foreign companies doing business in the United States might use a different structure. Thus, in practice, if not by law, the COSO framework probably will be the benchmark standard of internal control structure and procedures for US companies complying to 404. In part, the SEC says:

The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of managements annual internal control evaluation and disclosure requirements.

Using the COSO Framework for Sarbanes-Oxley Internal Control Compliance The draft COSO framework covers a wide swath of territory “ ranging from declaratory statements about a company’s values and culture, to specific parameters around data storage and integrity. Each element contributes to the overall evaluation of the companys exposure to risk “ market or regulatory.

Here are highlights of the framework where an effective analytical capability would be especially useful:

“ Event Identification: This is a company’s ability to draw insight from its information and flag the contingencies upon which the objectives are premised. Aggregate analytical capabilities would be critical: in some cases, it may be useful to group potential events into categories. By aggregating events horizontally across an entity and vertically within operating units, management develops an understanding of the interrelationships between events, gaining enhanced information as a basis for risk assessment.

“ Risk Assessment: This is the assessment of the probability of those contingencies. Risk assessment employs both qualitative and quantitative analytic methods“and evaluates potential uncertainties as they unfold, whether they are internally or externally generated.

“ Control Activities: These are policies and procedures ensure that risk responses are carried out efficiently. Here too is a point which calls for analytic capabilities in two key areas. 1) COSO identifies general controls as encompassing IT infrastructure and management, security management and software. 2) Application controls are designed to ensure completeness, accuracy and validity of data capture and processing.

“ Information & Communication: Analytics is the solution for COSOs information & communication element of internal control. COSO says information is needed at all levels of an organization to identify, assess and respond to risk. Pertinent information from both internal and external sources must be captured and shared in a form and time-frame that equips personnel to react quickly and efficiently. Effective communication also involves the exchange of relevant data with external parties, such as customers, vendors, regulators and shareholders. Effective enterprise risk management relies on both historical and current data. Historical data tracks actual performance against targets, identifies trends, correlates results and forecasts performance. Historical data also provides early warning signals concerning potential risk-related events. Current data gives management a real-time view of risks inherent in a process, function or unit. This enables an organization to alter its activities as needed in keeping with its risk appetite. (Continued – Part 4)

Disclaimer

The information and opinions expressed on this paper are not intended to be a comprehensive description, nor to provide legal advice, and should not be treated as a substitute for specific advice concerning individual situations. While the author and Upper Quadrant has made every attempt to ensure that the information contained in this document is accurate, neither the author nor Upper Quadrant is responsible for any errors or omissions, or for the results obtained from the use of this information.

Sales & Marketings Unique Challenge The Sales and Marketing function faces a unique compliance obstacle. More than any other function it relies on guesswork for its most critical financial instruments. Sales forecasts generate guesses about what a given market demand should be. Sales plans generate guesses about how the company should capture that demand. Opportunity assessments generate guesses about a company or products addressable market. Critically, many other business functions depend on sales and marketings guesses:

“ Finance projects cost and profit levels and capital needs based on a given sales forecast, and usually publishes its expectations to Wall Street.

“ For a manufacturer, operations plans what to produce, and thus what raw materials to procure based on a given sales plan or forecast. Service organizations allocate human capital and adjust fulfillment plans. A real-world example demonstrates the potential impact of getting it wrong: a major airline over-forecast nearly 60,000 seats crossing the Atlantic four summers ago, and had to swallow enormous costs from the capacity it built to accommodate these phantom flyers. It had already paid access fees to airports, allocated planes, entered longer term fuel contracts, etc. When summer came, planes with as few as 15 passengers would make the crossing. The ticket charges couldnt even pay for the direct costs of making the flight!

Unfortunately, sales projections are often based on the plan of what executives want to sell, not on an analytic assessment of the actual market demand at the time of the forecast. The Next most common method is to premise the forecast on some loose version of historical analysis: this is what we sold last year; this year, well beat it by 2%. Will Sarbanes-Oxley digest such back-of-the-envelope or simplistic analyses? Do you want to take the risk to find out? Taking a chance is probably not a good idea. In practical terms, compliance will require transparent, accurate and effective processes for generating forecasts.

In fact, any financial report that will eventually be used or relied upon by the CFO or any other part of the business should be drafted with awareness that someday, along with hundreds of thousands of other documents, it may end up as part of a response to a subpoena. Ordinarily, future statements are not actionable, (weve all seen the disclaimer at the bottom of nearly every press release) but that is not the point. Its not that the reports and forecasts of sales & marketing contain prognostication; its about whether those reports and forecasts were developed through sound analytic and business practices “ i.e. under an umbrella of internal control. While the prognostications themselves may be beyond legal recourse, the processes behind them probably are not. (Continued in Part 5)

Disclaimer

The information and opinions expressed on this paper are not intended to be a comprehensive description, nor to provide legal advice, and should not be treated as a substitute for specific advice concerning individual situations. While the author and Upper Quadrant has made every attempt to ensure that the information contained in this document is accurate, neither the author nor Upper Quadrant is responsible for any errors or omissions, or for the results obtained from the use of this information.