The Top 10 List for Implementing AS5

Most people believe that the AS5 will save compliance costs by emphasizing a top down, risk based approach. Todd Neff at Compliance Week mentioned top 10 list for implementing AS5 where to invest most of your time and efforts:

  1. Develop precise, lean entity-level controls. Such controls are more detailed than those offered by the likes of COSO, McCuaig said, and probably already exist in well-run businesses, though perhaps not in the accounting function. A lean control involves management monitoring, process-owner testing, and self-assessment.
  2. Ensure a lean, strong control environment. McCuaig described this as “hardening” the control environment. Doing so involves developing detailed criteria to identify and assess all elements of a control environment, identify and report issues, and seek out and deal with bad behavior.
  3. Use fraud risk scenarios. McCuaig said companies should know precisely how they would counter any number of not-good scenarios, including executive pressure for “creative” accounting, altered shipping dates, major debt-covenant breaches or the creation of fake customers. They should be confident enough in that knowledge to present it to the board of directors.
  4. Assess the risk associated with period-end processes. Forty-one percent of deficiencies stem from problems with periodic financial processing, McCuaig said. Stanching the flow requires a much more detailed consideration than in the past, including the “fat risks” of incorrect calculations; incomplete, invalid, or missing transactions; cut-off errors; and incorrect interpretation of regulations, among others.
  5. Focus on significant accounts. Account size is only one consideration, McCuaig said. Risk factors include the exposure to losses, the volume and complexity of activity, the use of the account—is management compensated based on how much money is in it?—and error history, he said.
  6. Assess significant risks. For significant accounts, what can go wrong? What could happen if a significant account were misstated? Controls should be assigned only after a consideration of specific risks, and the probability of the risk happening, he said. Risk assessment should be the job of the company itself, and not external auditors who almost always lack the insight to do a proper job, McCuaig said.
  7. Limit relevant assertions. Anybody with a keyboard can create an assertion these days, McCuaig said. Relative risk must come into play. He suggested applying a “reasonable possibility” test to assertions, and a senior executive should approve all assertions. Only 20-25 percent of assertions pass that test, he said; those that don’t should be removed from Sarbanes scope.
  8. Identify significant locations. As with significant accounts, the largest location may not be the most significant. Companies should consider the quality of an internal control, the susceptibility to fraud, and the number and type of employees, among other factors.
  9. Assess the risk associated with IT general controls. IT generates perhaps 5 percent of deficiencies, McCuaig said. “There’s a huge amount of work being done, but I’m not sure how much of it should be for IT,” he said. In general, he would rather focus controls on people than systems, he said.
  10. Keep score—track deficiencies. This involves tracking deficiencies, identifying concentrations or absences of them, addressing root causes, and developing a deficiency reporting policy, McCuaig said.

 Some key risks can also be found when looking at statistics of material weakness exposed at financial reporting.

Type Pct.

Financial Systems & Procedures
Accounting Policies, Practices 33.3%
Lease Accounting 10.0%
Inventory Issues 6.7%
Stock Option, Comp. Accounting 6.7%
Taxes 6.7%
Account Reconciliation 3.3%
Financial Close Process 3.3%
Revenue Recognition 3.3%
Valuation Issues 3.3%

Subtotal 76.7%
Personnel Issues
Staff (Inexperienced, Lack of) 10.0%
Segregation of Duties 3.3%

Subtotal 13.3%
Other Problems
Control Environment 3.3%
M&A Issues 3.3%

Subtotal 10.0%

Based on 29 material weaknesses made in June 2005; some companies disclosed more than one weakness.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: