I discussed the “Disk of Risk”, and our apparent difficulty in thinking “end to end” about risk and controls, some weeks back.
Ruminating over this, I was fascinated by a commentary by the distinguished Norman Marks, the evangelist for “better run business”, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information.
Norman, as many of you know, knows a thing a two about this topic, having led audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.
For someone enjoying retirement, Norman is still a prolific commentator on the state of risk management.
The subject of his latest missive “Almost every SOX program has too many controls in scope” resonated with me and echoed a number of recent discussions.
The guidance from the SEC and PCAOB is that the acceptable level of risk is less than a “reasonable possibility”, as in their definition of a material weakness:
“…a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”
Norman also shares a practical definition of a key control:
“A key control is a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis. In other words, a key control is one that is required to provide reasonable assurance that material errors will be prevented or timely detected.”
Candidates for addition to ICFR/SOX scope should face a challenge or two:
- Where is the risk (of a material error or omission)?
- Why should this be included?
- Show me where the regulators require this?
Of course, this raises the question of what is a “material weakness” and the threshold for materiality.
The materiality threshold is often defined as a percentage of net income (earnings / profits). Most commonly percentages are in the range of 5 – 10 percent (for example an amount <5% = immaterial, > 10% material and 5-10% requires judgment).
This, of course, means that for a company with $1bn in net income, the materiality threshold is $50m.
Makes you think . . . .
He also discusses WHY we often have too many controls in scope, including;
- External auditor insistence, even when management does not agree
- Perceived “important controls” and those related to the “risk of the day”
- Lack of controls rationalization
- Fear of reaction from management or the external auditor
Thank you Norman
Thanks for reading . . .