The matrix revisited: risk and control matrices can provide internal auditors with a comprehensive picture of the tools management uses to ensure accurate financial statements

Internal Auditor, August, 2004 by James Roth, Donald Espersen

SECTION 404 OF THE U.S. Sarbanes-Oxley Act of 2002 requires evaluation of how public companies' financial reporting controls are designed and implemented. The most resource-intensive facet of this evaluation is the documenting and testing of control activities within business processes. This is usually done with a risk/control matrix (see an example of such a matrix on page 89).

The matrix provides internal auditors with an excellent risk assessment tool, presenting a clear picture of the processes, risks, controls, and monitoring methods management uses in ensuring accurate financial statements. When preparing a risk/control matrix, internal auditors should keep in mind the following issues.

CONTROL OBJECTIVES SHOULD BE END-RESULT STATEMENTS THAT ARE RELEVANT TO SARBANES-OXLEY. Some consultants and public accounting firms have taken exhaustive listings of controls they developed for other purposes and given them to their clients as Sarbanes-Oxley "templates." Clients are told to use them as their control objectives. One such template has 30 control "objectives" for accounts payable. These include: "Three-way match--purchase orders, goods receipts, and vendor invoices are matched." and "The cash discounts policy is enforced."

Neither statement, however, is an objective. Both are control activities designed to accomplish certain objectives. The second statement regarding cash discounts relates to an operational, not a financial, control objective. It is irrelevant to the purpose of Sarbanes-Oxley. Missing cash discounts will not result in a material financial statement misstatement.

Starting with objectives--the end-result statements of what is to be accomplished--helps users understand why controls are important and become effective internal control owners. Without them, Sarbanes-Oxley work can become an empty exercise in documentation.

The second volume of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework report gives just five objectives for accounts payable. "Identify available discounts" is correctly phrased as an end-result statement, but it is classified as an operational control that would therefore not be included in a Sarbanes-Oxley evaluation. The other objectives are:

* Accurately record invoices on a timely basis for all authorized purchases.

* Accurately record returns and allowances for all authorized credits.

* Ensure completeness and accuracy of accounts payable transactions.

* Safeguard accounts payable records.

Together, these four statements cover the financial reporting objectives for accounts payable.

An overly detailed control analysis is wasteful and counterproductive. People easily can get lost in the details and miss the high-level risks that can cause material misstatements. Take, for example, the process of estimating the allowance for bad debts. It has just one control objective. Phrased as an end-result statement, it is "Fairly state the allowance for bad debts."

USE SIMPLE LANGUAGE LIKE "WHAT COULD GO WRONG?" TO IDENTIFY RISK EVENTS. One way to evaluate risk is to identify the events that would prevent an objective from being met. In the bad debts example, possible risk events include inaccurate data, faulty estimation model, and management override.

ASSESS THE UNMITIGATED LEVEL OF EACH RISK EVENT. How likely is this event to occur in the normal course of business if controls are not designed specifically to prevent it? And how likely would its occurrence result in a material misstatement? A simple ranking of high, medium, or low is precise enough for the analysis.

Surprisingly, this simple risk assessment step is often missing from Sarbanes-Oxley matrices. Perhaps that is why most of these projects operate in overkill mode. Without assessing the underlying risk, it is difficult to know which controls are key. The default seems to be calling every control key unless it is obviously unimportant.

In the bad debt example, the most likely cause of a material misstatement is income management, intentionally misstating the account to achieve a desired net income.

FOCUS ON CONTROLS OVER THE HIGH INHERENT RISKS, AND THINK OF CONTROLS BROADLY. Eleven years after the COSO report was published, most people still think of controls in terms of low-level control activities (e.g., authorizations). These are important for Sarbanes-Oxley purposes only if they are needed to prevent a risk event that could result in a material misstatement. Often, though, the key controls operate at a higher level and can easily get overlooked when the evaluation team is focusing on minute details.

In the bad-debts example, what are the controls over management override? Control procedures at lower levels are irrelevant to this risk. Preventive controls include management's integrity and penalties, like those in Sarbanes-Oxley, for falsifying financial statements. Unfortunately, these controls are not always reliable. For assurance, evaluators must look to detective controls like independent internal and external auditors, supported by an independent audit committee. For Sarbanes-Oxley purposes, detective controls--particularly monitoring controls--are often more important than preventive controls.