The relationship between financial controls and financial reporting has always been fuzzy. All finance functions worth their salt subscribe to the view that the control environment is critical but who takes responsibility for application controls is often a fudge between group finance, internal and external audit. But with more focus on risk the time has come to clear up the confusion and place financial reporting on the same footing as the management of controls. Gary Simon, FSN’s managing editor looks at the reasons why controls reporting is on a collision course with financial reporting.
It stands to reason that the integrity of financial reporting relies on the underlying controls. What is less obvious is where responsibility lays for ensuring that controls are consistently applied. Part of the problem is that controls are a moveable feast. On the one hand application controls, which provide assurance around completeness, accuracy and authorisation usually lie with the users whereas responsibility for general controls which ensure that, for example, applications are adequately secured and backed up often reside in the IT function.
In reality, the time pressures around the monthly, quarterly and yearly reporting cycles means that controls are always someone else’s problem – that is of course until things go wrong. Sarbannes Oxley was supposed to sort out the problem, insisting that controls (general computer controls & application controls) are adequately documented and tested. In large measure SOX has underlined the importance of controls and after an initial peak has reduced the number of material weaknesses and re-statements in financial statements. But it has come at a steep price in terms of the cost of creating and evidencing the control environment as well as a lengthening of the time taken to make earnings announcements.
Although the origins of more sophisticated controls monitoring within the reporting supply chain can be traced to SOX, there is now a growing recognition that strengthening controls is a laudable objective in any well run company – regardless of regulatory pressure and that these should be combined with financial reporting in one environment.
Ted Sparrey, of Trintech plc, a specialist supplier of Governance, Risk and Compliance solutions agrees. He told FSN, “Financial controls and reporting are tightly linked and should never be viewed in isolation. When Sarbanes Oxley was passed, the initial view was that this was an additional set of tasks that needed to be performed to meet the regulatory requirements. In fact, good finance practices have always demanded integration between your controls and your statutory filings. Most progressive finance professionals now view best practice as a single effort in filing financial results that are not subject to restatement.”
Systems have become a valuable enabler in the quest to improve financial controls in the group reporting process. These can vary from a repository of controls of controls based checklists integrated with the group consolidation engine, through to workflows and reconciliation software which guide users more methodically through period close and related activities. The ultimate goal is for a CFO or Finance Director to be able to look at a number in the balance sheet and know, with a fair degree of certainty, that all of the underlying control elements that impact on its reliability have been signed off.
But it is not just compliance that is driving investment in GRC solutions. Dominick DiPaolo of Blackline Systems told FSN, “In the past, each piece of the reporting supply chain, such as the general ledger close, reconciliations, consolidations and external reporting was a discrete process with it own lifecycle. Historically, when time was less pressured these could be managed on a manual basis but it is impossible to do this now. It is critical from both a compliance and a timing point of view that these processes share the same environment.”
The latest round of technology from both Trintech and Blackline provide a unified environment in which control, reporting and compliance objectives can be satisfied together. Trintech’s Sparrey comments, “Technology plays two critical roles in control, risk and compliance. First, technology automation can drastically reduce staff costs and efforts. This enables additional money and staff time to be focused on key issues and problems likely to cause material weaknesses and restatements. Second, technology can provide a single version of the truth when it comes to control, risk and compliance activities. This visibility and transparency highlights redundancies as well as holes within compliance efforts, enables controls to be leveraged across multiple initiatives and provides close integration between a company’s activities and those of their external auditors, reducing costs and staff efforts.”
According to Blackline’s DiPaulo this is exactly what CFO’s and Finance Directors are looking for. “The whole drive started with SOX and the need to have a repository of documented controls, testing and results. But many elements of the reporting supply chain are manual and managed by lots of different people. For example, one person may be responsible for a footnote disclosure whilst another is looking at a statutory filing. CFO’s are now looking to bring these disparate activities together to replace manual processes and to get visibility of who is doing what and by when,” he added.
The area acknowledged to be one of the worst when it comes to control is the so called “Last Mile” of finance, a phrase coined to describe the activities that sit between the final consolidation and the hard copy preparation of the Annual Report and Accounts. This phase stands out because of the number of functions involved, for example, group finance, Investor relations, external audit, PR and design, printers, internal audit and the ease with which adjustments and last minute changes can fall between the cracks.
The prize in financial reporting is now to streamline the Last Mile and a number of vendors are providing tools to ease the pain. Embedding controls within financial reporting is key to process improvement in this final phase but it shouldn’t be treated in isolation.
According to Trintech’s Sparrey, companies are realizing that risk, control and compliance activities and their possible negative consequences are closely interrelated and can best be dealt with on a coordinated basis. He told FSN, “Regulatory agencies such as the U.S. SEC and PCAOB are advising a single approach that links internal and external review and audit in order to maximize visibility and reduce costs and efforts. Progressive finance professionals and industry analysts refer this trend as the “holistic approach” to compliance”.
It seems that a unified approach to controls and reporting is the only sensible way forward.
