|
|
|
Features
< Back
Sarbanes Oxley : Governance : Sarbanes Oxley
Streamlining Sarbanes Oxley & Basel II Compliance Costs
The Utilization of Compensating Controls Methodology & Baye?s Theorem
By
Jerry Grenough
|
|
Jerry Grenough
Principal
Taylor Forensics
|
A little-known mathematical theory may be the means by which Sarbanes-Oxley compliance costs can be drastically reduced in the 15,000 plus publicly-held corporations worldwide. This theorem, known as Baye?s Theorem, determines the effectiveness of one or more synergistic controls. The consequences of applying this Theorem are stabilization of compliance costs at a significantly lower level than the current level of consulting and in-house costs, approximately 1% per one billion in revenue. Time-consuming, counterproductive testing is eliminated. Section 404 compliance is maintained at a high level, satisfactory in form and results to external auditors.
As well, the Basel II Accord is a global regulatory treaty that defines the global standards for enterprise risk management practices in the financial sector with the intent of risk mitigation. All areas of bank operations are included ? people, processes, systems, governance and supplier management. Basel II disclosure requires banks to describe their risk management objectives and policies for each separate risk area, including strategies and processes, scope of risk reporting, structure and organization of risk management, and policies for hedging and mitigating risks, inclusive of operations.
This article will address specifics of how this can occur as well as case studies in the insurance industry. This statistical theory which is widely used in medicine and engineering is little-known to those in the financial realm, but could be the key to success to Sarbanes compliance and information security at reasonable cost levels.
Statement of Bayes' theorem
Bayes' theorem relates the conditional and marginal probabilities of stochastic or random events A and B:
where
is the likelihood of A given B for a fixed value of B.
Each term in Bayes' theorem has a conventional name:
? Pr(A) is the prior probability or marginal probability of A. It is "prior" in the sense that it does not take into account any information about B.
? Pr(A|B) is the conditional probability of A, given B. It is also called the posterior probability because it is derived from or depends upon the specified value of B.
? Pr(B|A) is the conditional probability of B given A.
? Pr(B) is the prior or marginal probability of B, and acts as a normalizing constant.
With this terminology, the theorem may be paraphrased as
In words: the posterior probability is proportional to the prior probability times the likelihood.
In addition, the ratio Pr(B|A)/Pr(B) is sometimes called the standardised likelihood, so the theorem may also be paraphrased as
posterior= standardised likelihood x prior
Synergistic Controls
A synergistic control, as it relates to Baye?s Theorem, in auditing terms could be defined as a mitigating or compensating control. In order to understand the definition of compensatory controls in the context of Baye?s Theorem, it is important to understand the System Model. Whether one is designing an anti-fraud system, complying with Section 404 of the Sarbanes-Oxley Act or simply designing an internal control system the System Model is a little-understood but essential tool. It reflects the common internal control points of a well-designed internal control system. A company may have twenty processes: i.e., payroll, revenue, cash disbursements, payables cycles and so forth and it may have five or six ?key control? points within each cycle. Understanding this is the secret to designing or auditing a particular cycle. The following chart illustrates the System Control Model, applicable to all corporate structures:
| SYSTEM CONTROL MODEL
|
| CONTROL
| DESCRIPTION
|
|
Transaction Authorization
|
Transaction Authorization Controls are used to ensure management authorizes all transactions entered into the system
|
| System Access & Edit Controls
|
System Access & Edit and Validation Controls are used to ensure only valid transactions are entered into the system by properly authorized personnel
|
| System Calculates Correctly
|
Processing controls ensure valid transactions are processed correctly and the resulting output has integrity and can be relied on
|
| Interface Reconciliations
|
Interface Controls ensure accurate and reliable data is passed from one application system to another
|
| System Monitoring
|
Management Monitoring Controls use system data to validate the integrity of processed data: i.e., Suspense and Bank Reconciliations
|
| Management Analytics
|
Management Analytics uses system data to ensure the consistency and reasonableness of processed data
|
| Segregation of Duties
|
Segregation of Duties is a control used by management to ensure the functions of authorization, custody, recording and reconciliation are properly segregated
|
| System Changes
|
System Changes and quality assurance over those processes are used to ensure the integrity of the application system
|
Source: H.C. ?Pete? Warner, CIA, CPA, The Internal Control Institute |
Let?s say your public corporation is in the insurance industry and your auditors have therefore raised a deficiency based on their examination of accounts payable. Their concern: fraud schemes (kickbacks, inflated invoices, duplicate payments and the like) due to inadequate segregation of duties.
The defense to their position is that compensating controls exist and strengthen the primary control to a high level of operating effectiveness. Primary controls are normally authorization controls, for example, approval of invoices by an e-payables manager before payment. Detective controls, which are compensating controls, would be monitoring or reconciliation controls within the system model.
Therefore if accounts payable is integrated with the general ledger system, access is restricted, and appropriate levels of review for monitoring (for example a management analytic with vertical or horizontal analysis of line items) occur you have added three complementary or synergistic controls according to the Theorem and security is raised from a 60% level to a 93.6% level for that process. No further testing is necessary. Mitigating controls exist in every process and can be identified always as one of the control categories of the System Model.
In order to mathematically determine effectiveness here is a Baye?s Theorem chart based on the formula referenced above.
BAYE?S THEOREM
|
Number of Synergistic Controls
|
Effectiveness of
Primary 60%
|
Effectiveness of
Primary 70%
|
Effectiveness of
Primary 80%
|
Effectiveness of
Primary 90%
|
| 1 | 60% | 70% | 80% | 90% |
| 2 | 84% | 91% | 96% | 99% |
| 3 | 93.6% | 97.3% | 99.2% | 99.9% |
| 4 | 94.7% | 99.2% | 99.8% | 100% |
| 5 | 99% | 99.8% | 100% | 100% |
Source: www.sarbanesoxleywhitepaper.com |
To determine the effectiveness of a synergistic control, use the following equation, where E = the effectiveness of a single control. Baye?s Theorem: E=1-((1-E1)*(1-E2)*(1-E3)?)
What this mathematical formula is telling us as auditors is that in addition to implementing primary controls, complementary or compensating controls effectively increase the percentage level of confidence in our internal control structure.
Suppose your company has ten regions and auditors have determined that deficiencies exist in total number of one hundred. It is conceivable that 70-80% of those deficiencies can be remedied by use of Baye?s Theorem without further testing. A matrix could be established which illustrated the Financial Statement Process, Related Risk or Deficiency, Mitigating Controls and a Conclusion on the effectiveness of the controls. Let?s look at an example of what can happen without significant controls in the real world.
A REAL-WORLD EXAMPLE OF LACK OF CONTROLS
Bill was a member of the Property Board of his international insurance group. He was able to support his family on a modest income, but then developed a need for cash to support a gambling addiction. Desperate for funds, he decided on a plan to allow him to continue to gamble indefinitely. As the chief Project Planner within his company, he had authority to propose and approve real estate development divestitures and acquisitions. It occurred to him that with no secondary levels of approvals needed, he could steer business into whatever sector he desired, and that offering to approve schemes in return for monetary gifts was a solution to his financial situation.
Eventually he built an income in an annual mid six-figure range from his side relationships. He used a straw man operation, a consultancy company, to launder the profits. False invoices were provided accounts payable for fees for due diligence, which was performed by an accomplice. Therefore in addition to the off-the-books fraud, which would have been difficult to detect, he was directly depriving the company of revenue as well through false flag invoices.
Interestingly due to lack of controls at this company the situation was only noticed by the financial institutions involved, in view of the large amounts of cash deposits and rapid transfers of them to tax-haven jurisdictions. Suspicious activity reports filed by the institution led to an investigation through FinCen, the joint venture of the CIA and Treasury, and eventually discovered the sub rosa arrangements.
This deficiency which was not remediated until the facts came out was in the field of acquisition accounting, and payables. The lack of proper authorization for valuation and initiation of acquisitions was the non-addressed risk. An excellent mitigating control would have been senior management and/or board of directors approval of all acquisitions after due diligence by an approved vendor. These mitigating controls would have resulted in a low probability that acquisitions or divestitures could occur without senior management approval. The close-in ties to one vendor would have been noticed, i.e., the straw man vendor utilized for due diligence. The results of this lack of adequate authorization and detective controls cost the corporation seven-figure monies before it was discovered. And in fact in this case the only reason it was discovered were large-scale transactions and unrealistic wealth compared to the client profile by the financial institution.
IT CONTROLS
In considering control characteristics, various issues are important. In the field of IT controls, the VISA credit card network service providers, including banks, processors, merchants and others use what is known as the ?Digital Dozen.? Here is a list which is a mix of preventive, detective and corrective controls most likely achieving security in the 99% to 100% range:
? Install and maintain a working firewall to protect data
? Restrict physical access to data
? Encrypt data sent across public networks
? Do not use vendor-supplied defaults for passwords and security codes
? Track all access to data by unique ID
? Protect stored data
? Use and update anti-virus software
? Implement an information security policy
? Assign a unique ID Code to each person with access
? Restrict access with ?Need to Know?
? Keep security patches up to data
? Regularly test security systems and processes
RISK ASSESSMENT
In risk assessment, worst-case scenarios are ?gamed out? much as the intelligence agencies game out scenarios on a world front. If the threat happens, what are the worst consequences? How often could the event occur? And how certain are we as to the analysis? IT and finance both typically have risk control models in their Sarbanes-Oxley matrix.
If mitigating controls do not exist, you need to ask three questions:
? What can be done to reduce the risk?
? How much will it cost?
? Is the cost efficient?
Some risks may be minor and it may not be worthwhile to implement a control to counter them. Some risks may exist and not be remediated unless full and complete remediation of the source exists. For example, if you have an escrow operation and your company has a directive that negative file balances over thirty days old must be funded by corporate, then that policy either exists and is implemented or it doesn?t exist. Mitigating controls are not applicable to some risks.
Accepting the risk is one alternative. If you have one thousand branches and are concerned about lack of segregation of duties at the branches regarding cash controls, but a significant percentage of your branches have only one person authorized to handle funds, it is a Non Sequitur to have a segregation of duties deficiency at those branches, so the best you can do is have a corporate directive for immediate restrictive endorsement of funds.
Eliminating the risk is another alternative. With an IT platform you can embed IT controls that for example eliminate the possibility of duplicate payments or claims.
Sharing the risk is a third alternative. The cost to transfer realized risk may be mitigated by reinsurance of large-dollar amounts of potential claims, for example, in the insurance industry.
Finally, controlling the risk, as is the topic of this article, your company must establish sufficient authorization, preventive, or detective controls to work in combination that the real possibility of a control failure is extremely low.
Controls should meet a variety of characteristics:
? Their effectiveness should be a high percentile
? Their mix should reach a high level on the Theorem chart
? They should provide evidence when control parameters are exceeded
? An audit or management trail should occur
Utilizing advanced techniques, Internal Auditors can protect their employers and clients now and in the future. Basel II requirements can be conformed to within reasonable levels of cost containment. Sarbanes-Oxley costs can be streamlined. Utilizing proven and accepted mathematical theorems, principles of auditing come to life in a brand new manner.
CITATIONS:
Wikipedia contributors. Bayes' theorem [Internet]. Wikipedia, The Free Encyclopedia; 2006 Mar 23, 19:34 UTC [cited 2006 Mar 24]. Available from: http://en.wikipedia.org/w/index.php?title=Bayes%27_theorem&oldid=45145110.
Jerry Grenough
Principal
Taylor Forensics
J.T. Grenough is a founder of Taylor Forensics, an investigative firm which consults on topics of corporate governance and investment performance strategy studies. He graduated from the University of Louisville, maintains a CPA license in the Midwest, and has performed expert witness testimony. He has published articles for the Sarbanes Oxley Compliance Journal and the Institute of Internal Auditors. He has handled six major Sarbanes-Oxley assignments for Fortune 2000 companies, and served as a regional audit director for a Fortune 500 company, assisting the audit committee in the performance of their duties
|
|
|
|
|
