July 17, 2006
Management needs additional guidance on how to link ERM's strategic objectives to control activities so they can refine their existing key controls to only those that provide value to the organization or major risks. In general, the topics and key metrics executive management uses to drive the business act as a good starting position for events that indicate whether the business will meet their objectives. If you were to ask a stockholder about what they are worried about or what is the risks they would like to see managed it is the risk their organization will not tactically perform and position itself for ongoing financial success.
These very same metrics used for rationalizing controls (i.e. providing a "top-down, high-risk"/reward basis) should be used to meet the "Why" requirement from the the proposed Executive Compensation and Related Party Disclosure.
The additional guidance from COSO for the smaller public companies was not at a practical enough level. Perhaps using more examples, similar to the SEC/PCAOB FAQ's would have helped. For instance, gross margin is a typical key metric for management, only the key controls required (typically automated) should be tested or relied upon, such as GL posted upon shipment to the right account with the right date for the right amount. This may include pricing and cost controls and shipment controls if there are risks associated with the processing of orders or if the process is system dependent (such as nearly all accelerated filers), benchmarking or testing every third year may be acceptable. By the way, this example would provide an example of integrating controls testing with the financial audit, e.g. if the revenue, inventory, and expenditure cycle controls are automated and tested to post the right amounts, dates, etc then there should be no reason to test this "again" in the financial audit.