Significant Value with Internal Controls
David R. Campbell, Mary Campbell, and Gary W. Adams
- Every company—an accelerated filer completing the
second year of Sarbanes-Oxley (SOX) 404 compliance, a private
company wanting to enhance internal-control quality, or a
nonaccelerated filer looking at initial compliance efforts
for 2007—wants to get as much value as possible for
each dollar spent. Although
initial efforts may be motivated by legislation, looking beyond
compliance to achieving a market leadership position through
internal controls can deliver significant value. A leadership
position with regard to compliance can offer competitive advantage
with a number of stakeholder groups: analysts, rating agencies,
customers/clients, and suppliers.
article provides a brief overview of the Committee of the
Sponsoring Organizations of the Treadway Commission’s
(COSO) model of internal controls used in many organizations
as an implementation framework. It then outlines key measures
of progress to a market leadership position, where real
value is delivered beyond meeting compliance requirements.
Last, lessons learned from the authors’ consulting
work describe the key organizational success factors typically
found in organizations that are at the leading edge of SOX
Value Proposition for Internal Controls
basic benefits of holding a market leadership position in
internal controls include the following: increasingly effective
operations, highly reliable financial reporting, and industry-leading
compliance programs. Recently, the Institute of Internal
Auditors’ (IIA) Research Foundation published a detailed
report titled “Sarbanes-Oxley Section 404: Looking
at the Benefits,” by Larry E. Rittenberg and Patricia
K. Miller. This report highlighted significant additional
benefits from control improvements brought about by section
It added structure in the year-end closing process and
recording of journal entries, resulting in recognition
of the additional complexity in these areas.
It increased anti-fraud activities, including defined
processes, which include responsibility for follow-up.
It improved the documentation of controls and control
It improved the definition of controls across the organization,
including the crucial relationship between these controls
It spurred a return to the foundation of basic controls
(e.g., segregation of duties, periodic reconciliation
of accounts, and authorization processes) that had eroded
as organizations downsized or consolidated operations
in order to drive costs down and remain competitive.
derive additional value from their internal controls work,
whether it is done for section 404 or for the stakeholders
of a not-for-profit organization. In addition, the report
found that market leaders can leverage the knowledge base
built during the assessment process, documentation development,
and the relationships defined across business processes
to create measurable value across the entire organization.
When this occurs, the true organizational return on investment
in SOX compliance can be realized.
areas of particular value enhancement are business process
improvement and risk management assessments. Combining business
process improvement with SOX internal control efforts allows
companies to benefit from reengineered business processes,
resulting in fewer controls and better downstream business
performance. The SEC’s recent emphasis on a more risk-based
approach to the identification of key processes, key controls,
and appropriate testing has many organizations focused on
the broader value produced through enterprise risk management.
Here the organization uses risk assessment as a strategy
to boost its bottom line, much like cost containment.
companies without a chief risk officer or risk council are
considering implementation of these concepts to deliver
greater corporate value. Companies at the leading edge of
discovering additional value in internal controls have developed
techniques proven to drive more predictable revenue, minimize
outstanding receivables, reduce operational costs, and even
improve a company’s performance.
COSO Internal Control Model
COSO internal control framework was first introduced in
1992, and in 1994 a comprehensive four-section report on
internal controls was issued, consisting of an executive
summary, a framework, guidance to public companies on reporting
on internal controls to third parties, and evaluation tools
to help a company comprehensively assess its current control
COSO framework (Exhibit
1) is relevant to achieving company objectives in three
Operational goals: The framework relates to the effective
and efficient usage of all of a company’s resources.
Financial reporting goals: The construct gives guidance
on the consistent production of reliable financial reports.
Compliance goals: The guidance creates a topology of the
company’s compliance requirements as they relate
to industry regulations or legal requirements for public
right side of the cube in Exhibit 1 represents the organizational
units and activities to which this framework is applied.
COSO framework is the standard for internal controls guidance.
The IIA Research Foundation indicated in a February 2003
report, “Internal Auditors’ Role in Corporate
Governance,” that 63% of publicly held companies use
the COSO framework of internal control.
leader is distinct in the way top management views their
leadership responsibilities. In many cases they see opportunity
for improvement where others only see regulatory hurdles
or bureaucratic necessities. Market leaders can leverage
the COSO framework.
element is the foundation of the COSO framework. It sets
the overall tone of the organization with regard to the
importance of internal controls. Ethical values, leadership
resource allocation, staff competence at all levels, the
dynamics of authority and responsibility within the organization,
and management philosophy are all parts of this critical
a sense, the control environment is the most difficult component
to quantify, because much of it relates to the overall culture
of the organization. But there are a number of clear goals
that an organization can work toward to ensure that the
framework rests on a foundation exemplifying market leadership.
and leadership involvement is the most crucial element in
an organization seeking market leadership. As the board
and leadership set expectations and measure progress against
them, business units or department heads begin to assign
internal controls the priority they require. The specific
strategies that can be employed to move to a market-leader
position within an industry include the following:
Conveying the importance of ethical values by setting
an example and “walking the talk.” This includes
relating stories of integrity and ethical values through
presentations, newsletter stories, and any other means
of getting the message to everyone that these values are
important to the organization. Public companies are now
required to have a code of conduct for the board under
the requirements laid out by SOX. Nonprofits and private
companies can also benefit from a code of conduct. The
organization cannot tolerate violations of this standard.
There are financial benefits to this approach as well.
One research study performed by the Institute of Business
Ethics (“Does Business Ethics Pay?,” April
2003) found that companies displaying a clear commitment
to ethical conduct consistently outperform companies that
do not display ethical conduct.
Developing clear organizational guidelines relating to
responsibility and authority with accountability checks
is another clear hallmark of an market leader. Within
the organization, leadership typically follows a distributed
model, with individuals understanding the overall organizational
goals and how the goals of their department or business
unit relate to them. Individuals should also understand
their responsibilities and the limit of their authority
to ensure that the goals of the organization are achieved.
When a leadership culture like this is achieved, the whole
organization is focused on organizational objectives and
committed to the maintenance of the control structure.
A guiding coalition of leadership members believing in
the need for change is one of the first steps typically
taken by organizations that successfully make culture
shifts, but changes will take effect slowly and steadily
the internal control framework within the organizational
culture. Management must clearly define roles and responsibilities
for internal controls, including responsibility for the
defining, documenting, testing, and monitoring of controls
and the remediating of problems. The organization must
incorporate these responsibilities into the responsible
individuals’ performance management goals.
The internal controls environment is no longer viewed
as separate from the operating component of the business;
controls are embedded in processes from the beginning.
This approach lowers the risk of inadequate controls and
ensures that the control structure is in place from the
outset of a process’s planning and launch.
Supporting human resources policies and practices that
provide clear corporate career paths. Human resources
management plays a key role in ensuring that individuals
are hired with the needed financial competencies and that
career growth supports an increased level of financial
companies take a risk-based approach to SOX internal controls
compliance as a key step in achieving a correct balance
between costs and benefits. Recent guidance from the Public
Company Accounting Oversight Board (PCAOB) supports this
approach with specific recommendations, including the use
of a risk-based method to determine which key controls are
tested each year. The PCAOB also recommends that the viability
of a company’s business model is an important consideration
when evaluating risks. Companies that focus on these larger
problems and risks will better meet the needs of all their
stakeholders, including investors and analysts.
leaders with respect to internal controls expand the risk
focus started under internal compliance efforts to a broader
venue. One popular concept that often precedes a mature
enterprise risk management initiative is the formation of
a risk council. This council is generally composed of management
representatives from different areas of the business. Some
of the early objectives of risk council meetings are as
Use of a common terminology for risk discussions throughout
of a risk framework or structure for fostering risk management
across the organization;
of the organization’s current risk capability as
well as risk and performance indicators;
of the company’s current spending on risk; and
of a plan to mitigate the operational risks of the organization.
they do not already have a risk program, some companies
take the risk management process even further with a more
formalized, enterprise-wide program headed by a chief risk
officer. Under this approach, the organization embeds risk
identification and mitigation into its culture in the same
way it adopted its internal control framework. The goal
is to intertwine risk and business strategy with other organizational
systems such as performance management.
important aspect to risk assessment is continuous monitoring
of the internal and external environment in which the entity
operates. This periodic scan of the operational environment
can highlight upcoming events affecting both internal controls
and risk strategy. Events such as systems change, mergers
and acquisitions, loss of key personnel, and other events
may require a closer look at existing controls and risk
leadership in the actual design of controls requires corporate-wide
coordination and the involvement of ownership. Policies
are set enterprise-wide, allowing an efficient implementation
while avoiding duplicate efforts and definitions. Control
design workshops or training can raise the knowledge and
capability of management and staff to deal with defining,
documenting, managing, testing, and reporting on internal
controls. Global organizations have recently begun to roll
these sessions out through online training sessions for
foreign registrant compliance with SOX section 404. These
modules can be used with more-experienced users to reinforce
other objectives, such as a return to basic controls and
an emphasis on continuous improvement. Leading organizations
have moved to more-comprehensive training on basic accounting
concepts, and in the process have improved the timing of
their closing cycle, implemented process improvements, and
reduced the error rate in accounting transactions.
leaders have focused controls on prevention rather than
detection (see the Sidebar on types of controls). They have
reengineered business processes, where needed, to incorporate
prevention. Automating control checks by utilizing software
features that can complete checks without any specific action
is also beneficial. Internal auditing can help provide direction
to business process owners searching for the best approach
to use. Working closely with the board will help the internal
audit function receive the company-wide exposure necessary
for business process owners to recognize the value delivered
to the organization. It will also make it more likely that
business process owners will “buy in” to the
companies in internal controls implementation effectively
utilize technology in several ways. First, they build in
controls wherever cost-effective, because this one-time
change activates a continual and long-lasting process of
control testing. Automated control testing also brings about
a quicker response time to potential problems and needed
can also utilize technology to support the documentation
and testing components of their control activities. Numerous
vendors (e.g., BWise, Methodware) provide customizable software
to provide a consistent approach across the enterprise.
The use of software to support these efforts is not limited
to large companies, as many programs are scalable and affordable
for small companies. These programs help ensure that the
initial investment in documentation and testing is well
maintained and that compliance efforts will be sustained
into the future. They can also serve as a basis for higher-value
initiatives downstream, such as business process improvement
and more-comprehensive risk management activities.
open flow of information and ease of communication within
an organization are essential with any new initiative. Experienced
project managers are well versed in the communications needed
to disperse information to stakeholders. They also have
experience with change management, which can contribute
to the timelier acceptance of new processes and the continuous
improvement needed to excel. Experienced project managers
will build measurements into the plans to assess success.
companies foster open communication between internal auditors,
management, and external auditors. The first year of SOX
implementation for accelerated filers resulted in less than
ideal communications with external auditors, according to
the SEC April 2005 Roundtable on Internal Control Reporting
Provisions. Recent recommendations from the SEC and the
PCAOB have clarified expectations regarding external auditor
communications, with the specific goal of improving the
quality of testing, documentation, and remediation in the
control environment, thus adding business value.
overload is prevalent throughout business. In the “information
economy,” management is frequently overwhelmed by
the quantity of data available, often resulting in a failure
to convert important business information into knowledge
to support their competitive advantage in the marketplace.
Leading companies have recognized that effective reporting
of exceptions and an “executive dashboard” approach
are the best ways to focus attention on important information,
and they can avoid placing management adrift in a sea of
meaningless data from endless sources.
self-assessments (CSA) can play an important part in monitoring
internal controls. CSAs place the responsibility for assurance
that controls are in place and functioning with the business
process owners, consigning ownership exactly where it belongs
under the dynamics of typical organizational behavior.
questions from a CSA on a company’s accounts payable
process are shown in Exhibit
2. The IIA website has numerous examples. Another CSA
option is an interactive workshop, which uses a facilitator
to draw out control information from management. This approach
leaves control with management, allowing the organizational
process owners to follow up downstream with surveys or questionnaires
in subsequent periods, further refining the work product.
efforts are best focused on leading indicators that allow
time for correction, rather than lagging indicators that
do not. The best reports for monitoring internal controls
contain integrated information from both internal and external
sources. Software packages can facilitate pulling together
data from disparate systems and processes.
In many organizations, the internal auditors are responsible
for conducting a formal review of internal control work.
Such a review should be conducted annually and should take
advantage of “lessons learned” from SOX activities,
as well as input from the external auditor.
requires more than simply creating a checklist in each of
the control components. There are a number of differentiating
factors, consistent across industries and firms of various
sizes, that are responsible for the success of market-leading
management. To become a market leader, an
organization’s people must often change the way they
approach their responsibilities. Change occurs because employee
stakeholders see the benefit, buy in to the concept, and
therefore effect change.
of the most successful techniques for achieving this goal
is the creation of a guiding coalition or leadership group
responsible as internal champions for the changes required
in the current environment. The authors have found that
designating a well-respected individual with good project-management
skills as the champion for the effort ensures achieving
a leading practice state.
communications and training throughout the organization
at every level are key components of success:
Ask process owners in areas with material weaknesses or
significant deficiencies to report to the audit committee
on these issues along with the remediation plan the owner
has committed to implement. (See the Sidebar
for a definition of “material weakness” and
Distribute, on a regularized basis, communications from
internal audit or other responsible groups on techniques
and tools to support the effort.
Conduct training to support business owners when completing
the CSAs and testing.
Issue progress reports from the leadership throughout
the process on the benefits obtained from efforts to date
and the desired goals to continuously improve the process.
improvement. Companies that strive for market
leadership in everything they do will want to go beyond
minimum compliance requirements when addressing the SOX
internal control assessment and reporting process. They
are constantly looking to improve and leverage additional
value from what they have accomplished to date. Such companies
are more inclined to pursue continuous improvement in achieving
their business strategy.
to value. A drive to value means thinking
creatively and continuously about what has been accomplished
to date to further leverage competitive advantage for the
organization. Although SOX section 404 compliance does not
require the reengineering of business processes, the knowledge
gained from internal control assessment will likely uncover
opportunities for business process improvement to create
value. For example, a control that costs thousands of dollars
to implement in a company’s supply chain system may
uncover inventory inefficiencies that process owners can
reengineer to save millions. Finally,
market leaders expand their risk focus from initial SOX
tasks to a much broader scope and view the task not as within
a single department or division, but rather as an enterprise-wide
initiative of cost containment or revenue enhancement.
public companies, not-for-profits, and private companies
are to truly realize the significant investments made due
to SOX, they must move beyond basic compliance and emphasize
an even better system of internal controls that will promise
drive attainment of strategic business objectives,
and mitigate risk, and
design business process improvements to better integrate
enterprise-wide process with systems.
R. Campbell, CPA, is a professor and chair of the
accounting department at Drexel University in Philadelphia,
Pa. Mary Campbell is an independent consultant
who assists companies with the implementation of strategic
Gary W. Adams is the president of AutoParking,
Inc., in New York City.