In my last blog, Control Effectiveness—Is the Glass Half Empty?, I examined how control effectiveness is often measured incompletely and inaccurately. Let’s look at what we learned and discuss a better way to determine effectiveness.
There are three lessons we can learn about making conclusions on control effectiveness:
Controls’ effectiveness can’t be measured against “control objectives”. Control effectiveness can only be measured against the broader, business (or in the examples, community and therapeutic) objectives. (Most of the major corporate failures we have seen in the financial crisis have rated their internal controls as “effective” immediately before failing). Controls …
Control effectiveness opinions are what we expect from auditors. But what does a control effectiveness opinion really tell us?
None of us would conclude a glass is half full without knowing how big the glass actually is. The amount of liquid currently in a glass doesn’t tell you anything unless you know how much liquid the glass will hold.
Similarly, control effectiveness opinions are often based on knowing only half the facts. Many, if not most, of the major corporate failures we have experienced have happened to companies whose external auditors reported effective internal controls. What was missing?
In 2010, the Committee of Sponsoring Organizations (COSO) published a research study, “Fraudulent Financial Reporting: 1998-2007,” to provide a comprehensive analysis of fraudulent financial reporting occurrences investigated by the U.S. Securities and Exchange Commission (SEC) between January 1998 and December 2007.
The instances of fraudulent financial reporting analyzed in the report straddled the implementation of Sarbanes Oxley and preceded the massive failures of some of the nation’s largest and most prestigious financial institutions.
A Couple of Findings
The most common fraud technique involved improper revenue recognition (61 percent), followed by the overstatement of existing assets …