Successfully reported this slideshow.

Corporate Governance


Published on

Original White Paper on what is now called "GRC," written in 2003 for the CFO Project.

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

Corporate Governance

  1. 1. After Sarbanes-Oxley Corporate Governance Post-Sarbanes-Oxley Embracing The Tenets of a Strong Internal Control Framework Internal Audit Accounting Technology Tax
  2. 2. history, human behavior has led to amaz- How did we get here? ing feats, as well as spectacular failures, in both large and small organizations. The Sarbanes-Oxley Act of 2002 During the latter half of the last century, great focus was placed on what drove hu- In one piece of reactionary legislation, the man behavior in organizations, in order to United States Congress set wheels in mo- improve operations and the bottom-line. tion to establish a new corporate para- Figures such as Maslow and McGregor digm: “perception is everything!” Sud- strove to put a sense of understanding denly, federal law set definitions for ex- around what drove individuals to behave ternal auditor independence, stricter fi- in certain ways in organizations, and how nancial disclosures, reporting guidelines to manage those behaviors. and additional public oversight. Al- though not the first legislation to threaten However, in spite of all of the significant jail time for corporate executives (the brainpower that has gone into determin- Federal Sentencing Guidelines already ing how people behave at work, and the did that for convicted corporate violators resulting efforts undertaken to modify the of federal laws), it specifically targeted work environment accordingly, the funda- corporate CEOs and CFOs with severe mental behavior patterns that were around punishment for failure to provide appro- at the dawn of the 20th century are equally priate checks and balances in the financial prevalent at the dawn of the 21st. More information provided to the investing importantly, failure to establish a uniform public. definition of a control environment has contributed to the fiscal havoc that results There are two extremely intriguing as- from some aspects of human behavior. A pects of this landmark Act. The first is tour of recent history validates this the- that, although the Act presents guidelines ory. and expectations for executive manage- ment, the audit committee of the board of A Brief History Lesson directors and the external auditors, it is disturbingly silent on the role that the in- After a period of significant increases in ternal auditor should play in realizing the productivity and efficiency, brought about corporate governance goals set out by the in part by significant increases in technol- Act. The second is that this Act was ogy and a laissez fare government, the fairly predictable, in an armchair quarter- business world was experiencing a period back sort of way, by followers of corpo- of unequalled growth. Due to year-over- rate governance for about the last 15 year increases in corporate revenues, years. The direct cause of the inevitabil- along with related increases in bottom ity of the Act can be found in the persis- lines and earnings yields, investors were tent pattern of human behavior in the cor- flocking to capital markets, driving the porate world. value of favored organizations ever higher, so long as they continued to Throughout the centuries, and specifically shower favor on their investors. throughout recent chronicles of corporate
  3. 3. In order to continue to produce these above was not the recent Act. Instead, sometimes too-rosy results, companies the circumstances described above: ex- began to engage in creative forms of re- tremely prosperous times, technological cord keeping, with the ultimate purpose to advancements and less than scrupulous continue to reflect positive earnings and financial representations in order to con- cash, in order to further prime the invest- tinue to prop up the market, were condi- ment pump with outside capital. Wall tions that contributed to the market col- Street analysts, equally caught up in the lapse of 1929, and the ensuing Great De- fever, contributed to the unsupportable pression. Public outcry at that time led to façade of corporate well-being that fur- bellwether legislation known as the Secu- ther promoted the investment of addi- rities Act of 1933 and the subsequent Se- tional capital, which led to the over- curities Exchange Act of 1934, which cre- capitalization of certain organizations. ated the Securities Exchange Commission (SEC), the “watchdog” of corporate gov- As economic indicators began to exert ernance (The 1934 act became fondly greater influence than could be explained know by public accounting practitioners by creative accounting and rosy analysis, as the “full auditor employment act,” in the paper tigers that the over-valued com- that it required all publicly-traded compa- panies actually were began to falter. This nies to be independently audited on an led to a run on the market, which led to, annual basis) The “sadly” part, of course, sometimes overnight, de-valuation of refers to the fact that such extreme meas- these capital behemoths, leading to the ures, brought about in large part by acts failure of many of them, and the financial of bad human behavior by corporate man- ruin of a large segment of the investing agement and analysts, still failed to pre- market. vent very similar consequences almost 70 years later. Public outcry on the events leading to this collapse, especially as it pertained to cor- After the two acts that were passed into porate governance, led Congress to react law in 1933 and 1934, the business com- by passing significant legislation de- munity was not directly targeted on the signed to prevent further occurrences of corporate governance issue for over 40 relying on improper financial disclosures years. At that time, due to widespread by the investing public. In summary, the “improprieties” performed by global or- purpose of this legislation was to require ganizations in subsidiaries not located on that investors receive financial and other U.S. soil, Congress was again pressured significant information concerning securi- to address “bad behavior” by passing the ties being offered for public sale; and in Foreign Corrupt Practices Act (FCPA) of order to prohibit deceit, misrepresenta- 1977. tions, and other fraud in the sale of securi- ties, stiff penalties could be meted out to Not quite a decade later, Congress was convicted violators. once again strongly considering stepping in with legislative muscle regarding cor- Sadly enough, most armchair historians porate governance and the intended role know that the legislation referred to of external auditors. Over this relatively
  4. 4. brief span of time, massive corporate further federal mandates in two key areas: scandals had once again resurfaced the The Federal Sentencing Guidelines were need for the definition of a universally amended in 1991 to include corporate accepted concept of internal controls, cor- crimes into its original scope. For the porate governance and independence first time, executives of corporations guidelines, something that prior legisla- could face both fines and jail time when tion had always left in the hands of the their organizations were found guilty of public accounting professionals and their violating federal laws such as the Clean own private oversight bodies. Air Act, if it was determined that the in- ternal control structure and overall corpo- In an effort to keep the government from rate tone as it pertained to governance legislating these definitions, The Commit- was so lax that it contributed to the or- tee of Sponsoring Organizations (COSO), ganization’s violation(s). In addition, composed of the Institute of Internal federal judges could also appoint trustees Auditors (IIA), the Financial Executives to monitor guilty organizations until it Institute (FEI), the American Institute of was determined that their internal control Certified Public Accountants (AICPA), environment had been corrected. Also in the American Accounting Association 1991, due to the number of significant (AAA) and the Institute of Management banking scandals, the Federal Depositor Accountants (IMA), was formed to Insurance Corporate Improvement Act jointly develop findings and recommen- (FDCIA) was passed in order to provide dations necessary to provide an integrated stricter guidance to the banking industry. framework of internal control for corpora- tions. This was accomplished by first In spite of all the legislation described publishing the Report of the National above, in the latter 1990s and early 2000s, Commission on Fraudulent Financial Re- corporate America once again found itself porting in 1987, known as “The Tread- heading for a market where, due to lapses way Report,” and the definitive Internal in corporate governance in major organi- Control – Integrated Framework in 1992. zations, “paper tigers” were once again in The COSO Report, as the Framework be- place, waiting for the inevitable devalua- came known, was the first-ever attempt in tion slide. Of course, as recent headlines corporate America to establish a universal now show, it became readily apparent that definition of internal control, along with corporate governance had yet again taken proposed guidelines for governance, inde- a back seat in certain large organizations pendence and quality assurance. The where public investors reasonably felt COSO Report was considered such a most secure. strong collaborative effort by the govern- ing associations that Congress backed off Whereas it is always much easier to sec- at that time of enacting legislation to gov- ond-guess the past, the purpose of this ern the accounting and auditing profes- “history lesson” is only to make one key sions. point: Said again, in spite of all the prior well-intentioned legislation passed by In between these two private sector re- Congress, history repeated itself, because ports, the federal government did provide the mistakes of the past were never truly
  5. 5. corrected. inherent desire to not comply with de- fined procedures unless both threatened Ironically, business and the affected pro- and rewarded; and Theory Y – empa- fessions came agonizingly close in the thetic, facilitative, driven by a belief that latter 1980s and early 1990s to providing staff is as motivated to work as to play or the missing piece of the overall govern- rest. (Theory Y is credited with influenc- ance issue: An integrated framework of ing later contributors [Herzberg, Peters] internal control – The COSO Report in their formulation of the concepts of (which, of course, is now the inferred un- “job enrichment” and “empowerment.”) derpinning of the Act, based on the opin- ion of most pundits.) What prevented this What tends to be overlooked by many framework from having the intended ef- organizations as they incorporate aspects fect was leaving it as a “voluntary best of Theory Y and Theory X into their practice” as opposed to a federal mandate. management styles is the fundamental Of course, when left voluntary, most importance of understanding the key business people tend to treat it as a characteristics of a self-actualized “desired” rather than a “required,” which worker: “Like any other person, they still then leads to procrastination and rationali- display frailty and failings, ‘ups and zation as to why there are more impor- downs.’ They still express their emotions tant, “cost/beneficial” things to consider. and can be critical and demonstrative to- wards others. They can lose their cool and Human Nature be everything from ruthless to be con- sumed with the sulks. They typically In order to accept the fundamental need wish to decide things for themselves, for objective corporate governance, it is want reasons, ask questions and do not only necessary to come to terms with the necessarily wish to conform. Finally, dynamic role simple human nature plays while they may accept the need for con- in an organization. As noted previously, formity sometimes in order to service a great deal of effort has been placed on their interests, and not to be selfish and determining why people behave as they ego-centered in ways that deny the ability do, in order to effectively manage them. of others to act in their own right, they may also say ‘no,’ and from time to time Working off the “hierarchy of needs” pro- be unpredictable, as they desire to make moted by Maslow, McGregor saw the up their own minds and be in charge of need to bring a “behavioral style” to busi- their own destinies.” {Excerpt source: ness management, and deemed the two Chris Jarvis for the BOLA project different approaches to managing behav- (Business Open Learning Archive).} ior “Theory X” and “Theory Y.” By building on Maslow’s concept of self- Another behavioral model necessary for actualization, McGregor was able to in- understanding the role of human nature in fluence management practices, thereby governance dynamics centers around an controls, of most organizations by distin- individual’s personal understanding on guishing between the two styles: Theory any given topic, and is normally depicted X – strong, dictatorial, driven by staff’s as the “competency square.” In this
  6. 6. square, the upper left hand corner is the fications as an example, this is accom- home of the “unconsciously incompe- plished by an “independent” governing tent” (UI), someone who is blissfully un- body requiring “compliance” with annual aware of how little they do not know until continuing education requirements, an event requiring the use of the missing thereby keeping the knowledge timely knowledge is thrust upon them. At that and relevant, in theory if not in practice. time, they move to being “consciously Without this ability to govern the ongoing incompetent” (CI) the lower left corner, competency of the person, the negative cognizant of the fact that they are lacking consequences brought about by the slide the necessary understanding to deal with from UC to UI are almost inevitable. the issue. As the person decides to better their understanding and seek out knowl- A final aspect of human behavior to keep edge, they proceed to the lower right cor- in mind is the universal application of ner of the square, the “consciously com- certain traits, namely: curiosity, greed, petent” (CC) section, now having a work- self-rationalization and pride. In foren- ing knowledge of the issue at hand. Fi- sics literature, the key contributing factors nally, if the person desires to be a for fraud, which is defined as a deliberate “subject matter expert” vs. merely a circumvention of a control environment, “CC,” they will strive to move to the up- is known as: 1.) A perceived need by the per right hand quadrant, or individual; 2.) An understanding of the “Unconsciously Competent” (UC), thus control environment, especially as it per- completing their journey through the tains to identified weaknesses; and 3.) A square. perceived culture where minor wrongdo- ings are tolerated, perhaps even over- In assessing the dynamics of this model, looked. The four traits noted above play the question arises as to whether the major roles in the factors contributing to “competency square” should actually be a fraud: curiosity will identify the control “competency circle.” When factoring environment, greed will typically drive human behavioral characteristics into the the need to act, self-rationalization will equation, the cyclical nature of the model justify the individual’s behavior and pride becomes evident: an individual moves will typically minimize the organization’s from CI to CC to UC, and then runs the desire to appropriately punish the wrong- risk of “resting on their laurels,” i.e., not doer. investing the ongoing energy required to keep their UC level of knowledge current. When the behavioral/learning/emotional This static state may work for a short du- traits discussed previously are combined, ration. However, over time, the individ- the argument for independent governance ual will eventually drift back into UI, as is compelling. Using recent history as an their current knowledge degrades to a example, the push for empowerment in non-relevant status. some organizations, without first deter- mining the adequacy of the underlying Therefore, it is necessary for some type of control environment, provided the neces- “barrier” to be erected between UC and sary conditions for irregularities to occur. UI in the cycle. Using professional certi- Also, in organizations where an under-
  7. 7. standing of the importance of internal unsuspecting dot-com in need of a controls was once significant, without an “seasoned start-up expert.” adequately defined and maintained inde- pendent governance mechanism neces- Regrettably, many organizations, past and sary to create the “barrier” between UC present, have intentionally chosen not to and UI, control environments were al- advance the development of their internal lowed to atrophy, creating the same types control structure, often citing the most of situations where irregularities were common of reasons: “It’s not cost- possible. The creation of evolved busi- beneficial,” or “It’s the external auditor’s ness models, without fully embracing the job to identify control weaknesses.” importance of governance, controls and Hopefully, as corporate America has re- monitoring, have left corporate America cently been jolted from a UI position re- ripe for the cyclical pattern of corporate garding the importance of internal con- blow-ups that has peppered recent his- trols to, at a minimum, a CI appreciation tory. for why those two statements are no longer valid under the Act, the opportu- Perhaps the most glaring example in re- nity to prevent history from repeating in cent history of bad behavior run amok is another 70 years (or less) is a common the “urban legends” that have already goal, and that goal must be founded in an emerged regarding the excesses of the understanding (CC or UC is up to the in- “dot-com/dot-bombs” that came and went dividual organization) of a strong inter- over the last few years. During the hey- nal control framework. day of the dot-com investor buying spree, it was not unusual at all to see $100 mil- Risks and Controls lion IPOs based solely on potential versus actual revenue. This capital was then, in While not specifically mandated in the many cases, put into the hands of “CEOs” Act, current conventional wisdom puts and “CFOs” with very little applied ex- the framework recommended in The perience in their roles, and absolutely no COSO Report as the best guidance for financial infrastructure to monitor them. compliance with the Act. At the core of These situations became immediate disas- the COSO Report are the universal defini- ters waiting to occur: simple greed would tions of risk and internal control. lead to exorbitant profit-taking on clearly unprofitable organizations, while little to Put simply, a risk is an event that, if it no fiduciary oversight or governance al- occurred, would have an adverse impact lowed excessive capital expenditures on on the organization’s objectives. Risks “loft furniture” and “gourmet coffee ma- are commonly evaluated by the severity chines.” Almost unbelievably, this lack of the impact on the organization, and the of effective monitoring led to instances likelihood of the event occurring. Inher- where the $100 million IPO noted previ- ent Risks are events that occur regardless ously would evaporate in nine to 12 of the effects of controls, Managed Risks months, leaving investors to speculate are those mitigated by the use of internal where their capital went, and suddenly controls and Residual Risks are the re- jobless executives to look for their next maining risks after the application of the
  8. 8. internal controls against the risks. In each tion of the framework, in that everything organization, emphasis should be placed rests on the base of a strong control envi- on determining the cost of an internal ronment, often referred to as the “tone at control against the benefit of the mitiga- the top,” requiring a culture intolerant to tion of the risk to an acceptable, unethical behavior, and is evident in all “residual” level. directions from both the board of direc- tors and executive management. After Internal control, as defined by the COSO that, a defined process where risks are Report, is: “broadly defined as a process, identified and analyzed in order to deter- effected by an entity's board of directors, mine the degree of mitigation necessary management and other personnel, de- to achieve corporate objectives is neces- signed to provide reasonable assurance sary, followed by the control activities regarding the achievement of objectives (policies and procedures) put into place in in the following categories: Effectiveness order to mitigate those risks. and efficiency of operations; Reliability of financial reporting; [and] Compliance Communication must flow both up and with applicable laws and regulations.” down the organizational chart, and infor- mation must flow from both in and out- The COSO Report goes on to identify side of the organization, in order to en- five unique components of internal con- sure that all parties, both internal and ex- trol, which are fully integrated into man- ternal, understand their individual roles in agement processes. The five components the control framework, and how their spe- are: Control Environment, Risk Assess- cific roles interact with others in the ment, Control Activity, Information and framework. Communication and Monitoring, and are usually illustrated as either a “cube” or a Finally, management must ensure that “pyramid.” The “cube” illustration is pre- there is adequate monitoring to ensure the sented here: quality of the framework’s performance over time. This is achieved both by ongo- ing management activities, as well as ob- jective evaluations by independent par- ties. The COSO Report recommends that this is an effective role for an organiza- tion’s internal audit function to play. Over the years, this writer has developed a modified “hierarchy of internal control needs” in order to describe the nature of internal control monitoring As depicted in the pyramid, the basis of Based on the COSO illustration (copyright 1994) by the Com- all internal control monitoring rests in mittee of Sponsoring Organizations (COSO). compliance with existing policies and procedures. Since this is a highly reactive The cube makes for an excellent depic-
  9. 9. approach, with only a “yes” or “no” out- Independence come, the next layer (operational audit- ing) is more proactive in nature, not only One of the most significant tenants of the identifying control breakdowns, but also COSO Report is the understanding that working with management in determining the internal control framework is solely and recommending appropriate corrective the responsibility of management. More action to prevent future occurrences. importantly, Section 404 of the Act re- quires management to acknowledge this responsibility in an annual internal con- trol report, which in turn must be inde- pendently attested to by the external audi- tor. Many positions have been taken by vari- ous organizations since the passage of the Act regarding the appropriate roles that should be played by the audit committee Even more proactive is having internal of the board, management and the exter- control experts “consult” on the front end nal auditor in ensuring the independence of any process development and/or re- of each function in their respective roles. engineering projects, in order to ensure As mentioned previously, an unfortunate that effective controls are not sacrificed omission in the Act is the specific role for “efficiency reasons.” (It should be that internal audit can and should play in noted that independence guidelines would pursuing the COSO Report’s stated objec- prohibit the same control consultant from tive of an independent evaluation of the performing the “testing” of the new con- internal control framework. trol, in order to eliminate the perception of a lack of objectivity.) Finally, “self- Some external auditors, who want to do actualization” comes when internal con- much more than just the attestation work trols, and proactive risk management, is associated with management’s assertions, embraced in such a way that management have embraced a more aggressive inter- incorporates control self-assessments pretation of the independence issues at (CSAs) into the overall internal control the heart of Section 404 than is believed framework. to be intended. For example, some exter- nal auditors go so far as to offer to serve If a layer were to be added to the bottom as the “smart arms and legs” of the client of the pyramid as the foundation of the company’s project management office in entire hierarchy, it would be the need for the preparation of the supporting docu- the perception of objectivity in perform- mentation for the Section 404 assertions ing the monitoring portion of the inte- by management. That position appears to grated framework. Then, of course, un- conflict with the spirit, if not the letter, of derneath the “foundation” of objectivity the new law’s independence rules because would have to lay the “bedrock” of inde- external auditors would be pendence. “independently” attesting to work that
  10. 10. they assisted in preparing. ing management by having the reporting line directly to the Audit Committee, in- A useful thought process to consider ternal auditors can assist management when evaluating auditor independence with the creation of the control environ- issues is “four, three, two,” a mantra that ment, the assessment of risk, the determi- refers to the Sections 404, 302 and 201 of nation of control activities, the determina- the new law. It’s helpful to run through tion of adequate processes for both ob- the key questions at the core of each of taining and communicating information, those three sections in that order. First, and the ongoing monitoring of the overall under 404, can external auditors effectiveness of the control framework. “independently” test and opine on man- agement’s report on internal controls if they played any role in preparing the documentation? Second, under 302, is management comfortable with this deci- sion in light of pending guidance on dis- closure protocols, and the subsequent po- tential harm if something was deemed “inappropriate” about the external audi- tor’s role at a later date? And third, under 201, since this assistance of operating management in preparing their assertion falls outside the scope of actual external audit work, does it require audit commit- tee approval, and is management there- fore comfortable asking for it? In the final analysis, it clearly makes sense to err on the side of caution when deciding whom to use to assist with the preparation of the Section 404 compliance work. A proposed solution…..look to internal control experts where no appearance of conflict of interest exists. In bringing together the importance of governance and a defined control structure, and justi- By mapping the “hierarchy of control fying it by fundamental aspects of human needs” provided before to the “COSO behavior depicted in repetitive historical cube” components, it becomes apparent cycles, the advent of the Act strongly em- how internal control expertise can provide phasizes the need for an objective moni- assistance to management in every layer toring function within the organization of the cube: that can assist management. As experts in risks and controls, and by establishing As depicted above, compliance auditing the function as “independent” of operat- is an essential part of the monitoring com-
  11. 11. ponent, performed independent of man- tors bear at year-end, as proscribed in agement by the internal audit group, in SAS 65. order to be perceived as objective in their viewpoint. The more “proactive” opera- The “End” or the “Means?” tional auditing focuses on the components of information & communication and As an important point of clarification, nu- control activities, actively working with merous comments already made by key management in finding solutions to con- individuals, including SEC Commission- trol issues, as opposed to simply identify- ers, have made it clear that the Act was ing the issue. Control consulting applies not intended to be perceived by manage- risk and control expertise to both the con- ment as the “end of all means” as it re- trol activities and risk assessment compo- lates to providing the investing public, nents, ensuring that adequate considera- and the federal government, with comfort tion is given to risk control consequences regarding an organization’s operations. when identifying and mitigating risks, in Rather, the Act was intended as a “means addition to the “cost/benefit” aspects. to an end,” which would be the establish- Finally, instilling ownership of control ment of an integrated control framework, self-assessments into management’s con- as proscribed in the COSO Report, which trol environment by facilitating the proc- by definition would then include the all ess is the most proactive way for internal aspects of the Act as a part of the overall auditors to ensure that management is defined corporate governance. constantly addressing its fiduciary re- quirement to its board and investors to While many organizations responded rap- “own” the internal control framework. idly in a “tactical” mode to key sections of the Act, such as deploying “cascading A wise approach to auditor independence certifications,” i.e., having all layers of rules does not mean curbing communica- management perform the same certifica- tions with external auditors. On the con- tion as required by the CEO and CFO on trary, management, internal audit and ex- all SEC quarterly and annual reports, ternal auditing partners should interact many have adopted a “wait and see” atti- continually throughout the year, both in tude when it comes to the more far- the determination of the ability of the ex- reaching “strategic” components of the ternal auditors to rely on the work per- Act, such as: disclosure guidelines, whis- formed by the internal auditors as defined tleblower protocols and the incorporation in the Statement of Auditing Standards of a uniform control structure, such as the (SAS) number 65, and in the determina- COSO Report, across all processes in the tion of the minimum requirements needed organization, both “financial” and “non- to satisfy section 404 of the Act. That line financial.” of communications helps ensure compa- nies that its assessments, documentation, The lack of clarity regarding the role of testing and reporting are heading in the internal audit in the Act has led some or- right direction and should subsequently ganizations, as part of their “tactical” re- lighten the attestation load (not to men- actions, to have both positive and nega- tion the cost of that work) external audi- tive effects of the intent of creating the
  12. 12. ideal control environment. A positive • Have an independent internal audit effect is where audit shops that had relo- function reporting directly to the audit cated to the top of the hierarchy pyramid committee of the board of directors, over the last decade or so, lured by the and administratively to executive “sexiness” of the consultant’s role, and management; had forgotten the base, have been ordered • Have board-approved charters for back into compliance testing by their both their audit committees and intern boards, especially pertaining to financial audit departments; reporting processes. The development of • Have management and internal audit CSA was never meant to replace the inde- jointly perform risk assessments pendent monitoring done by internal au- (enterprise-wide and entity/process- dit, and is yet another example of unin- specific) on a regularly defined basis tentional decay from UC to UI when in- (ideally annually, but no less than ternal auditors quit independently verify- every three years); ing through compliance testing the asser- • Prepare annual audit plans based on tions provided by operating management the result of those risk assessments; through the results of their CSAs. How- • Have internal audit test and report on ever, some negative effects seen post-Act the effectiveness of the existing con- involve management’s desire to incorpo- trol activities, and management’s on- rate the internal auditor into the actual going efforts to correct deficiencies as processes developed as “tactical” reac- noted; tions to components of the Act, such as • Ensure that their internal auditors play requiring the Internal Auditor to sign off the role of corporate “teachers of in- like management on the “cascading certi- ternal control,” in that they instruct fications,” and by having Directors of In- management in their core expertise: ternal Audit have active roles on the Dis- risk assessments and internal controls, closure Committees set up as part of Sec- and “test” the effectiveness of their tion 302. Whereas the underlying intent instructions through auditing the op- of such actions is understandable by man- erations for compliance with all perti- agement, having internal auditors become nent policies and procedures, along active participants in the actual control with evaluating the efficiency and ef- activities and information & communica- fectiveness of the overall control envi- tion components of the framework clearly ronment, both in financial and non- dilute the perception of independence, financial areas of the organization; which erodes the ability to monitor objec- and tively. • Also ensure that, through their col- laborative interactions with manage- Organizations that either already had in ment, their internal auditors are part place internal control frameworks based of the process of continuous improve- on the COSO cube, or have since imple- ment of the control framework, mented such programs, are on the path to thereby assisting management with complying with the true “spirit” of the their ability to prepare quarterly and Act. These organizations: annual assertions as to the overall ef- fectiveness of their control frame-
  13. 13. work, as defined by the Act. since they had not adequately erected the required “barrier” between UC An interesting note: Thought-leading and UI: An “independent” evalua- organizations were doing most, if not tor of compliance in the monitoring all, of the above prior to the Act, and process. were not even necessarily publicly • Finally, the professional services traded! Their reason for being so firms suffered a significant shift in the “visionary” was simple: Long before investing public’s perception of what Congress legislated it, these organiza- constituted “independence,” espe- tions understood that the “benefit” of in- cially when it came to monitoring cli- creased efficiencies and effectiveness of ents where other, management- operations, along with a “tone at the top” directed, work was performed. of zero tolerance of improprieties and unethical behavior, was well worth the Thus, the dominoes were lined up, wait- associated “cost” of an integrated control ing for a push: A lack of perceived inde- framework, including independent, ob- pendence, leading to a lack of a defined jective monitoring. barrier in the competency cycle, leading to a artificial reliance in existing control Lessons from History frameworks, leading to opportunities for manipulation of financial data, leading to Using the competency cycle described the collapse of large (and small) institu- previously, a “thumbnail sketch” can be tions, leading to the devaluation of inves- prepared of the historical trends that lead tor portfolios, leading to public outcry, to the Act: leading to the passage of the Sarbanes- Oxley Act. • In spite of numerous attempts in the past by Congress to “legislate” Hopefully, the adage of “those who do corporate governance, no clear-cut not learn from history are bound to re- definition of an adequate internal peat it,” will be the new watch phrase of control framework was ever man- corporate America. Most importantly, dated. although not specifically defined in the • In addition, professional services Act, the necessity of an independent firms were left to themselves to deter- monitoring function in the internal control mine what was deemed appropriate in integrated framework will become the maintaining a perception of independ- definitive “barrier” that prevents the dom- ence in performing their work. ino cycle from reoccurring, and history • Over time, some organizations that from once again repeating itself. Only considered themselves “UC” when it time, further governmental guidance and came to understanding their opera- proactive management action, will tell if tions and control environments atro- the lesson has been finally learned. phied into “UI” in regards to key ar- eas of governance, thereby creating an “environment” that allowed inappro- priate behavior to go undetected,