By making the following four smart choices, you can better understand your system of internal controls and provide opportunities to reduce your total cost of compliance.

Prior to the passage of the Sarbanes-Oxley Act, it was routine for a public company CFO to include a statement in the management discussion section of an annual report that the company's internal controls were operating effectively. This was a 'faith-based' representation. In the pre-SOX days, it was unlikely that any actual analysis was done to provide the CFO with insight regarding control effectiveness.

That faith-based process no longer works. Today, all CFOs should KNOW how their company's system of internal controls works and that there are sufficient controls in place to prevent material weaknesses in financial reporting.

You can gain this comprehension and understand your potential weaknesses by:

• Performing a high-level risk assessment. Where do opportunities exist for management override of controls? What are the non-routine processes in which judgment plays a significant role in valuation? Are there significant accounts with gaps in control?
• Identifying key accounts that may contain a risk of material misstatement. You may be surprised at how many accounts really matter.

Smart Choice #2: Identify Entity-level, Monitoring and Period-end Controls

To ensure your financial reports are materially accurate, you must understand the controls in place. Entity-level controls can mean a few things; usually these are controls that set the "tone at the top" of the company. For example, they can include policies and procedures, a code of ethics, a code of conduct, hiring guidelines, a whistle-blower policy, and a strict chain of command.

Entity-level controls can also include monitoring controls, which consist of high-level reviews performed by the board of directors, audit committee, CEO, CFO and other officers or directors to ensure the financial information makes sense and that the financial data materially reflects the expected results. If something looks odd, then questions need to be asked and resolved.

In addition to monitoring controls, your company should have period-end controls that occur when you close the books. These will be performed monthly, quarterly or annually. An account reconciliation is a good period-end control. Properly performed with evidence of approval, the account reconciliation control can cover several financial statement assertions.

"Assertions" is a frequently-used, but often misunderstood, term. Financial statement assertions were first codified in the AICPA's Statements on Accounting Standards (SAS) 31, Evidential Matter, issued in August 1980 and grouped into broad categories:

• Existence or occurrence,
• Completeness,
• Rights and obligations,
• Valuation or allocation, and
• Presentation and disclosure

When we talk about financial statement assertions, we mean your controls should address the key risks to meeting these assertions. That is why a monthly account reconciliation is such a strong control. If performed properly, it provides evidence that the asset or liability exists, is complete, belongs to the company (rights and obligations), and is valued accurately.

SAS 31 was recently superseded by SAS 106, Audit Evidence, which generally kept the same financial statement assertions, but organized them into three broad areas:

• Assertions about classes of transactions and events during the period under audit.
• Assertions about account balances at the end of the period.
• Assertions about presentation and disclosure.

The newer accounting standards better define certain terms. For example, the AICPA recognized that completeness as it relates to a transaction has a different meaning than completeness as it relates to an account balance or a financial presentation.

SAS 106 does not apply to public companies. However, Auditing Standard 5 (described in the right-hand box) does require an assessment of financial statement assertions and references the assertions from SAS 31 as a guide.

Regardless of whether your company's auditor must comply with Auditing Standard 5 or SAS 106, the goal is the same. You should understand what assertions each control is accomplishing. Each significant account should have controls that cover all of the assertions at least once.

If management's assessment is performed properly, the independent auditor can rely on that work and reduce the amount of testing that must be performed by the independent auditor.

Now, with your enhanced understanding of entity-level, monitoring and period-end controls, you should address their effectiveness. It could reduce the amount of transaction testing necessary, as we'll explain next.

• Identify and document significant processes, transactions and related controls and assertions.
• Identify key computer systems and general computer controls, commonly referred to as GCCs. These allow you to know, for example, that access is restricted, back-ups are occurring on a timely basis, a restoration can be done, and software changes are properly tested before being implemented.
• Determine key manual controls at the transaction level.
• Review existing controls for each process to ensure you have the sufficient controls in place to meet the financial statement assertions.
• If necessary, test the operating effectiveness of your controls. This testing is required for public companies and may be, but is not required to be, part of the audit strategy for private entities.
• Consider how your entity-level, period-end and monitoring controls can help reduce the number of transactional tests. This is an important step because if the high-level controls have been tested and are operating effectively, you can limit the number of transactional tests you need to perform.

Coordinate your work with your auditor. Make sure there is agreement on your compliance strategy. This should lead to an overall reduction in your internal control compliance costs. Items such as process documents and control test documents provide auditors with required evidence to support their work.

For public companies, your auditor is no longer required to audit management's assessment. However, having your auditor buy-off on the work you perform could allow the auditor to place significant reliance on it. The less work they have to do, the lower your external audit costs.

Smart Choice #4: Evaluate and Communicate

Now is a good time to think about the work you performed and take the following steps to ensure the information is used effectively:

• Evaluate the results of your work that are related to the design and operating effectiveness of your internal controls. (By design effectiveness, we mean you have the right controls covering all of the assertions and by operating effectiveness, we mean they are working as intended.)
• Document these results and identify any internal control deficiencies.
• Assess any internal control deficiencies. Are they "material weaknesses" or "significant deficiencies?" These terms have defined meanings and it is critical to understand the differences. Probably the biggest factor to remember is that a material misstatement does not have to occur to have a material weakness in your system of internal controls.
• Share the results with your auditors and communicate them to staff members.
• Prepare a remediation plan for deficiencies deemed to be material weaknesses or significant deficiencies.

The internal control assessment process is just a beginning, not an end. Granted, the first time around is the most painful but the work is necessary and important. Continue to evaluate how well your controls are designed each reporting period. Also, public companies must test for operating effectiveness every reporting period.

The better your system of internal controls is documented, the more you can provide to your independent auditor, which can lead to lower overall, compliance costs. Having a solid understanding of how internal controls work is a huge benefit for the CFO and creates a win-win situation for your company and its auditors.

This article contains only general information about compliance with SOX and risk assessment auditing standards. Contact us to discuss how the operations of your manufacturing business could be improved or to arrange a meeting. We can be reached online at www.mossadams.com, or by phone at 888-MADE AT MOSS.

The material appearing in this newsletter is for informational purposes only and is not legal advice. Communication of this information is not intended to create, and receipt does not constitute a legal relationship, including, but not limited to, an attorney-client or accountant-client relationship. The information provided herein is intended only as general information which may or may not reflect the most current developments. Although these materials may be prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.