CategoryInternal Control Archives — C. Lynn Northrup, CPA, CPIM
Health care costs are outrageous and continue to climb. A Business Week article reported that over 700 hundred billion dollars is wasted on countless wasted procedures, fraud, and unnecessary treatments. After thinking about the current state of the economy, this revelation struck home. With all the effort being placed on health care reform, it is shocking that this legislation will have no impact on the rising level of health care costs.
Because the health care system operates on a fee-for-service basis, there is no incentive for doctors and medical care facilities to eliminate waste and do a better job of cost control. While there is no incentive for doctors there seems to be plenty for those who are interested in using the system to fraudulently rip off the system for an estimated $150 billion dollars or more.
In thinking about this mess, I tried to consider some potential solutions. CPAs have lots of tools to assist in fraud investigation. The talent is there to get the job done. Why not engage some of the best resources available to stem the tide of leakage from fraud?
The health care system is a process, just like internal control and business processes. Again, wouldn’t it make sense to tap into the lean experts that are streamlining our supply chain and provide focus on the health care system?
When considering cost containment and control, health care represents one of our biggest challenges. I realize the political sensitivity and polarization that surrounds these issues, but government could wake up and pay attention to the talent pool available and make some real progress in contrast to pushing legislation that isn’t going to get the job done. The answer doesn’t lie with Congress; it requires executive action to take the steps that could really make a difference.
In the current economic environment there are lots of business owners struggling to deal with issues and problems and no idea on where and how to get help. Likewise there are CPAs who are asked by their clients for assistance in areas where they lack the knowledge and experience to provide support. It is a perception that help has to be geographically accessible. The reality in many situations is that there are virtual means of accessing the necessary experience and assistance.Many services, including training, can be provided virtually using the telephone, e-mail, and conferencing tools. I selected the areas of my expertise that could be delivered virtually. It is possible to review strategy and operational situations by using my questionnaires and experience in effective ways. Another situation faced by many companies is that they lack the financial expertise to provide the financial and controllership skills required to survive the current difficult economic environment. Virtual tools are available to share financial information and in many instances an experienced financial manager can provide the needed suggestions that can make the difference between success and failure.
Internal controls represent an area where CPAs need some assistance so they can avoid reinventing the wheel. In many instances I can provide instant answers to questions and provide suggested solutions that could otherwise take hours to solve. Based on working with the COSO internal control framework and assessing audit risk, I can provide direction and advice to practitioners and even help them review their work papers to minimize their risk.
My dealings with family-owned businesses have provided me with firsthand experience in working with succession and planning issues including estate and trust planning tools. It is like having someone working in your CPA practice where you can discuss and review a problem for potential solutions.
Some other areas where virtual assistance is available are cost management, operations and supply chain management. Why struggle with these areas when help is a phone call away. I can also provide assistance with strategic planning and share checklist and questionnaires that will allow you to facilitate development of strategic thinking with your clients. If you are a business looking for assistance, I can provide virtual support and training in these and other specialized areas.
You may not have given thought to using virtual support or training, but it available and utilized all the time. It is a cost effective way to receive the assistance you need. Give me a call to discuss ways that I might be of assistance.
Why not virtual consulting and business support? Since I have always performed consulting services at client’s sites, this represents an interesting question. In the current economic environment when every dollar counts it occurred to me that I could provide companies with excellent support and advice they might not be able to access in their geographic region. I teach on-line courses for Villanova University in conjunction with Bisk Education where I facilitate live discussion session with students every week. If I could teach on line then why not consult on line?After pondering the topic and the question, the answer seems pretty straight forward. Clients could really benefit from such an approach. In one of my recent live discussion sessions we had an extensive dialogue on the transformation of communication. Virtual communication is what has evolved in today’s world. Since we communicate virtually, then consulting and business advisory support represents a logical approach.
Telephone and e-mail are logical tools that most clients understand. The part which is a mystery to them is realizing that we can conduct an on-line dialog over the internet utilizing voice in addition to sharing of presentations and other analytical tools. It isn’t quite the same as face to face communication, but it works pretty well and is a lot cheaper and more time effective. It is an approach that works well enough to help a large number of clients. Virtual consulting can save time and reduce costs so traveling to client sites is limited only to the bare essentials.
In addition to reducing costs and improving efficiency, this approach saves a lot of wear and tear and allows me to reach out to a greater audience and expand my market reach. I can now help more people access my knowledge and expertise. I think this is a good way to work especially in a tough economic environment.
COSO issued new information and direction on monitoring internal control during January 2009 in a three volume publication titled Guidance on Monitoring Internal Control. Monitoring of internal control is performed through application of ongoing evaluations and separate evaluations to ascertain whether other components of internal control continue to function as designed and intended. These evaluations facilitate identification of internal control deficiencies. The deficiencies then need to be communicated to appropriate officials responsible for taking corrective action and where appropriate to higher levels of management and the board of directors.It is important to realize that business risks change over time. The internal control system must be capable of determining that the internal control system continues to be relevant and able to address any new risks. Monitoring should address requirements for revisions in the design of controls as risks change. It also provides assurance regarding the ability of the internal control system to contain risks at an acceptable level in order to provide for effective and efficient operations.
Monitoring follows a risk based approach in evaluating risks linked to achieving operational objectives. It is important to establish a monitoring foundation that includes procedures for evaluating risks, assessing controls, and reporting the results together with any required corrective action steps.
One of the primary elements of the monitoring includes establishing an effective tone at the top of the organization giving a high priority to an effective internal control system. Effective “tone at the top” ensures that the management team and the board of directors are supportive of the evaluation process. Successful monitoring of internal control requires the selection and utilization of evaluators who have a baseline understanding of internal control. They also will have the suitable capabilities, resources, and authority to conduct a meaningful assessment of the internal control system.
Since the enactment of the Sarbanes-Oxley Legislation I have developed multiple training programs dealing with assessment of internal control in addition to my book, Profitable Sarbanes-Oxley Compliance. Please feel free to contact me with your internal control questions and to discuss how to create and implement an internal control monitoring program.
Management philosophy is synonymous with “tone at the top” and provides direction as to how the organization will manage its financial reporting and articulate its objectives relative to internal control. Management attitude sets the foundation for financial reporting assertions and the application of accounting principles. The philosophy and operating style of management determines how financial reporting objectives and risk mitigation practices are established and executed.
Many smaller companies have entrepreneurial management teams that don’t always understand accounting and internal control processes. Promoting the importance of risk mitigation and appropriate interaction associated with transaction processing requirements is an adjustment for management teams of smaller companies. In many instances, adjustments need to be made so that all journal entries, together with the underlying assumptions and estimates, are properly authorized and supported by sufficient documen¬tation. Management operating style trickles down to employees, so there needs to be clear communication and application of business judgment so that qualified personnel are in place to perform effectively designed controls. It is critical for smaller organizations to ensure that management communicates effectively with employees as well as external parties relative to information linked to financial reporting objectives and the necessity for accurate and fairly presented financial reporting. Management needs to take financial reporting and internal control seriously by setting a “tone from the top” that is understood at all levels of the organization. Management philosophy and operating style needs to be “do as I do” and not just “do as I say.”
How much appetite for risk does an entity have relative to its pursuit of value? Each entity has to develop its own appetite for risk. This will depend on achieving an acceptable balance between growth, risk, and return and creating the proper relationship between risk appetite and strategy.
Effective risk management and execution of strategy requires appropriate alignment of people, processes, and the supporting infrastructure of the organization and process owners. Appetite is linked directly to strategy and is aligned with the desired level of value creation. Different strategic options will evolve based on the assessment of risk attached to each strategy. Therefore, management style and approaches to strategy will drive varying levels of appetite for risk-taking. When setting strategy, entities will vary in their approaches to risk. Qualitative approaches will categorize the entity’s appetite for risk as green, yellow, or red (high, medium, low). Entities that employ a quantitative approach will consider appropriate goals for growth, return, and risk. Risk management helps the management team choose strategies that blend with the organization’s goals for creating value.
There are a number of considerations that impact an organization’s appetite for risk. These factors will vary from business to business. It boils down to what risks the business wants or is willing to accept and what risks they want to avoid. The desired rate of return on initiatives is one of the factors that will influence risk appetite. Risk appetite will be affected by the current rate of return and the competitive need to accelerate growth. The strategic focus of the entity will directly impact whether a company has a high or a low appetite for accepting risk. Risk management needs to consider the organization’s appetite for risk and then guide management in selecting and balancing their decisions in their choice of initiatives and allocation of resources. The tolerance for entity-wide risk will then enter into the selection of objectives in the pursuit of its strategic vision.
Risk tolerance and appetite represents a balance that helps keep businesses and organizations on course and helps to avoid unnecessary and avoidable surprises. It is like walking a tightrope and then deciding how high you are willing to be, in case you fall.
The first thing to realize is that risk will evolve from either internal or external sources with the potential to affect strategy. Risk represents the possibility that some event will occur. Management’s job is to assess all the risks associated with implementing strategy and achieving the organization’s objectives. It boils down to considering the impact of all the underlying events that might have some impact. Enterprise Risk Management (ERM) is a framework for aligning risk appetite and strategy. Based on application of the framework, managing risk becomes a process of enhancing our risk management decisions. It is about reducing operational surprises and losses through a process of identifying and managing the entire multiple and cross-enterprise risks. It is more than avoiding losses; it is a process of seizing opportunities and looking for ways to improve the deployment of capital.
It is very closely linked to internal control in that is a process that is created and managed by people. It is, or should be, applied in a strategy setting and across the enterprise. It will only provide reasonable assurance and is geared to the achievement of objectives. When we say that risk management is applied in setting strategy is that it sets strategies and then considers risks relative to alternative strategies. It evaluates alternatives and helps decide on a course of action.
Risk management is applied across the entire enterprise and should consider the entire scope of activities at all levels of the organization. You need to consider special projects and new initiatives. Don’t apply the concept too narrowly because taking a portfolio of risks may override the occurrence of a single isolated event. Your assessment should consider both quantitative and qualitative factors in reaching judgments. Also, it is useful to group risks into categories so they can be effectively managed.
Now that we’ve got you started on the road to understanding risk management we will next take up risk appetite in our next post.
I am sure many CPAs have seen IFRS and heard there was going to be a convergence from Generally Accepted Accounting Principles (GAAP) to international accounting standards. But how many of them realize the magnitude of what lies ahead? I was involved in teaching SOX and internal control standards under Section 404. This gives me a pretty good idea of the effort required to make the shift. Since this web site and blog is geared to providing current and cutting edge information for businesses and CPAs it made sense to get on the IFRS band wagon sooner rather than later.Why all the fuss? Well IFRS accounting standards have been adopted by 113 countries and by 2011 it will be the standard used by 150 countries. The United States is immersed in global business and investors need to have the ability to evaluate investments around the globe. This makes a pretty good cased for a single set of globally accepted accounting standards. As was the case with SOX, CPAs are not yet prepared to shift to IFRS. Because of the global implications, CPAs in the United States will need to be capable of preparing and interpreting financial statements using IFRS.
The education process will be massive. It will impact investors, CPAs, and other specialists such as actuaries, and professional associations. Comprehensive education programs will be needed across the board. The AICPA has launched an initiative to help educate and pave the way for 2010 when conversion will likely be a reality.
In drafting this post the potential impact of the transition became starkly real. Colleges and universities will need to revise their curricula to accommodate the new standards. The CPA exam will need to be revised. Many CPAs could find themselves in situations where clients will demand adoption of IFRS. Those CPAs who make the effort to educate themselves will be on the winning end of the conversion game. My prediction is there will be more unprepared accountants versus those who make the leap.
This post is just the beginning and a way of sounding the alarm. I will be busy in the months ahead developing training material. Plus, we will be offering regular and current information on this site to help with the education process. I’m looking forward to the journey, so sign up for my RSS feed and newsletters. Let’s saddle up and enjoy the ride.
The new audit risk standards SAS no. 104 to SAS no. 111 issued by the AICPA in June 2006 will really come home to roost this year. They will put more pressure on auditors to apply the standards in the spirit they were designed because of the economic downturn. The risk for fraudulent misstatement of financial results will escalate due to the pressure on business owners and managers to report better results. Some of the reasons include avoiding violation of lending covenants and making a business look better in preparation for a possible sale. There can be any number of reasons.Typically auditors follow a checklist, but now they will be required to think and use appropriate judgment about the business. There will changes in management personnel, including key managers. When competent executives and advisors leave it puts the business in a weakened condition just when it is critical to make good decisions. In the past it was easy for management teams to run a company because it was hard to make a mistake. Now tough economic and competitive conditions demand seasoned professionals with good judgment. Many of today’s executives have never been required to deal with the uncertainty they face today.
Many of the audit teams conducting audits never audited publicly traded companies where Sarbanes-Oxley and the PCAOB established the rules. The new audit risk standards apply to privately owned companies and both owners and auditors are in for a surprise. They will have to wake up and smell the coffee and deal with a whole new world of reality.
The checklist days are over because auditors need to make inquiries, observations, in addition to gathering audit evidence to support their conclusions. Brainstorming sessions are mandatory to determine areas where fraud and material misstatements could occur. Assertions about account balances need to be evaluated. Account balances have to exist, the entity must have legal title to assets, accounts must be complete, and they must be properly stated at cost (or market if it is lower).
Cost or market could be a problem because assets may no longer be worth what was paid for them. This is an issue for inventories whose value could have slipped. Accounts receivable will be under pressure since businesses have gone downhill pretty fast and companies might not be able to meet their obligations. Therefore, bad debt write-offs could soar beyond normal ranges. Companies utilizing asset based financing will be put under significantly greater pressure.
Entire industries could be rapidly transformed and be subjected to high levels of stress. Bank covenants will come under significantly greater pressure. In addition, because banks are feeling more pressure they will start paying more attention to internal control risks. This is occurring when many companies have accounting personnel who lack the appropriate level of accounting and financial reporting training and skills.
This is the time for CPAs to go back to basics and focus on providing solid advice to their clients both on the potential risks from internal control weaknesses and on financial management of their business. It is no longer possible to survive just on preparing tax returns and financial statements.
Risk appetite represents the amount of risk that an entity or person is willing to accept in the pursuit of their goals and objectives. The level of risk will vary from low to medium to high. It depends on how the entity balances its goals for growth, return, and investment. This usually relates to quantitative analysis and applied directly to strategy.
The Enterprise Risk Management framework works to enhance the organization by facilitating risk appetite and strategy. This is a process of linking growth, risk, and return. Using this approach provides a balance for enhancing risk response decisions and helps to minimize operational surprises and losses. It is a great platform for identifying and managing cross-enterprise risks and providing integrated responses to multiple risks. In short, it helps to reduce the downside and increase the upside. This is exactly the approach to apply in the turbulent ecomomic conditions that we face today.
Risk appetite is established by finding an acceptable balance between growth, risk and return. It is a process of finding the right relationship between risk appetite and strategy. The risk management framework assists in the alignment of people, processes, and infrastructure. Essentially strategy guides the process of resource allocation.
Another aspect of understanding risk appetite is dealing with the entity’s tolerance for risk. This boils down to reaching acceptable levels of variation to achievement of objectives. It should be measurable. You want to align the organization to ensure that actual results will fall within an acceptable level of risk tolerance. Operating with an acceptable level of risk tolerance gives management greater assurance that the entity stays within it risk appetite.
You might ask how do we form a defined risk appetite. We need to evaluate the impact of a potential event between low, medium, and high. At the same time we need to consider the likelihood of an event occuring and making a judgment as to whether it is low, medium, or high. Events that have low impact and a low likelihood of occurence will produce a situation falling within risk appetite. On the other hand an event with high likelihood and high impact will exceed our risk appetite.
We need to define events as incidents or occurrences that are internal or external that could affect the implementation of strategy or impair the achievement of goals and objectives. What management needs to do is identify uncertainties that exist and assess when they could occur and what will be the outcome. It is a process of evaluating a range of potential events and ranking them from obvious to obscure. The next step is to measure the potential effect from significant to insignificant. Finally a determination must be made relative to the likelihood of occurrence.
It is really a common sense and straight forward approach to managing the business by following these simple rules. Unfortunately not enough management teams follow this disciplined approach. Instead they follow the methodology of “fire, ready, aim.” This is the probably the best way to lose the game. I think there is a better way as I have described above. It is a lot easier to do it right than suffer the consequences of doing it wrong.