The Sarbanes-Oxley Act of 2002 (SOX) regards management review controls (MRCs) as one of the most pertinent internal controls. MRCs are the evaluations done on the critical financial information systems of an organization to determine their accuracy and reasonableness. They are a significant aspect of any public company’s internal controls over financial reporting (ICRF). Some of the most important SOX management reviews include:
- A review of reconciliations
- A review of journal entries
- The work that supports an estimate
- Trigger events
- Budgets to actual variances
Contrary to what you might think, management review controls are more complicated than other controls. They require you to undertake an evaluation of combined results rather than individual transactions alone. Management review controls entail undertaking a comparison of recorded amounts versus associated projections. This is done based on the experience and knowledge that you may have relating to the business.
Typically, conclusions made during the management review process are based on historical reporting and documents. These provide the requisite context to reviewers. Management reviews entail more than merely seeking a yes or no confirmation. Such confirmations tend to be less clear cut and more subjective, and may not provide you with insights needed to steer your organization forward. Therefore, a simple signoff by management after a review process cannot sufficiently satisfy an internal or external audit.
Inherent risks characterize management reviews. Consequently, the Public Company Accounting Oversight Board (PCAOB) requires you to undertake detailed documentation of every MRC. The documentation enables both internal and external auditors to know about the historical information that got evaluated. They also get to understand issues that were considered and discussed before arriving at an approval.
There is a raging debate regarding the level of detail that PCAOB inspectors and auditors require during the management review control process. Indeed, companies wish to avoid errors, particularly in the financial statements that they submit to the Securities and Exchange Commission. However, the main question that endures is, how much documentation is sufficient?
An Example Situation
Consider a bank account reconciliation, for instance. It involves either an accounting clerk or any other person who completes it. Typically, those who undertake bank account reconciliation consider the account balance on the overall ledger and the bank statement’s balance as two different things. This is because there is a continual activity between every end-month, and every time the bank statement arrives. The accounting clerk must reconcile the discrepancy between the two.
During the review stage of the control process, the corporate controller will evaluate the bank reconciliation and approve it. Initially, the controller could sign off on it, but things have since changed. Today, a single signature is insufficient. Documentation for this management review control must delve deeper into the details of the entire review process. This entails evaluating how and why the controller decided to provide his/her approval.
The documentation is meant to guide third parties as well as external auditors on the path that the controller took to reach his/her conclusion. The main challenge lies in trying to document detailed activities that led to the conclusion that all is okay. Likewise, if everything isn’t okay, the rejection process and the resolution process should get documented.
A More Complicated Situation
In this case, a different and more complicated example can be tax provision. Whenever books are closed, it means that everything is complete. The tax team can come in to undertake a provision for income taxes. While at it, they will figure out the amount of state, federal, and local tax that you should pay. The tax team will also review the tax provisions, and where applicable, your company’s VP in charge of taxes will sign off the document.
Previously, the journal entry containing the VP’s signature only was sufficient documentation for review. Currently, MRC requires you to provide minutes of meetings when preparing tax provisions. The minutes ought to include topics that were discussed, any disagreements or conflicts that arose, and how they got resolved for the approval conclusion to be reached.
Generally, financial accountants dread situations that involve auditors evaluating the details of their work. This evaluation is akin to a review of the accountants’ thought processes since, in the end, it gives the auditors an idea about how acceptable tax numbers were reached. Often, accountants don’t like exposing what they regarded as option A, and what they regarded as option B. on their part, auditors may not agree with their decisions.
The dilemma with MRCs is that they often involve judgment calls. The real challenge lies in getting the auditors details of the entire thought process and reasons why an approval or a conclusion was reached. Providing these details makes an auditor a fly on the wall literally.
He/she can only sit back and watch to gain an understanding of what occurred during the meeting to warrant the conclusions made.
Auditing is not a part of the MRCs. The documentation is only prepared so that auditors understand how approval and rejection decisions are made. This could perhaps explain why the accounting department and managers don’t like it. Often, they feel that the meetings should be confidential and that auditors may not agree with the decisions that they make during the meetings.
The last thing that financial accountants and management want is to have auditors attending those meetings. Indeed, this also depends on the audit firm that you are using. Some insist on attending the meetings to witness the decision-making process because meeting minutes ay not include all details. The drawback is that with an auditor in attendance, the sincerity in the meeting can get dialed back.
Why MRCs are a Tough Balancing Act
Providing details on how judgments are made can create a lot of anxiety and conflicts. Even so, the documentation of MRCs is necessary, especially in cases whereby no process is in place. For instance, imagine a situation whereby a corporate controller signs off on individuals’ permissions to access the accounting system and do their job.
In such a case, the inherent problem is that they will have access to everything, including processes that they don’t need to do their job effectively. It will be easier for fraudulent activities to be undertaken with such porous access to the system. When auditors ask the controller to sign off on all the approval, it’s evident that they have not evaluated the need for employees to have this level of access. Likewise, the controller may feel there is too much information to review.
As a result, the controller’s signature may look like a rubber stamp, which can be used by anybody. If this happens, it means that there isn’t a control activity in place, but rather, a mere appearance of one. Should a fraudulent activity occur, it will reflect badly on auditors as well as the company in general.
Every time you deal with financial information, it’s advisable to have a system that reconciles and approves things. This will go a long way in reducing the burden of documentation. Automating the entire process enables you to monitor all actions. Auditors will also find it easier to retrace steps taken during decision-making. Automation also guarantees the accuracy of the financial information that was used to formulate decisions.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.