Let’s Play KITCHEN-COSO

Part 2 of Right-Sizing FDICIA/SOX

MUSINGS - From the desk of David Sidon, CPA, The Navis Group

So …. In the last article I think we established that over-scoping and over-testing FDICIA/SOX is an enormous waste of time, energy and mooolah.

Then there’s the issue of those meddlesome entity-level controls, tech controls and the infernal mapping to the COSO principles and focus points. (“infernal” is intentional, not auto-correct).

The Navis approach for a dozen years now, over 60+ COSO projects takes the form of an extensive narrative, based on COSO’s 17 principles and 87 focus points, addressing the more esoteric and qualitative aspects of this effort to assess and assert the adequacy of our control structure over financial reporting. Reducing entity-level and tech controls to a narrative “yeah, we got that” gets a little tricky, defies the traditional norm but makes all the sense in the world.

Here’s the conundrum. In addressing the COSO focus points, what constitutes “sufficient” or “enough”? Case in point. Principle 1: Integrity. Focus Point 1: Tone from the Top. How do we test that? It’s tough to lay out even a cogent cultural “proof”.

I’m known for my silly hypothetical analogies, so buckle up!

Let’s play Kitchen-COSO. Principle 1: Food & Nutrition. Focus point 6: Sufficiency of kitchen appliances. If we need to assert that we have a kitchen provisioned with an adequate set of appliances, what’s your list? Different than my list probably. So if we spec out a gold standard that might include, but is not limited to, stove, refrigerator, dishwasher, toaster, microwave, food processor, blender, coffee maker, we can argue the sufficiency of that set. If I have an espresso machine instead of a coffee maker, or a toaster oven instead of a microwave, are we still provisioned well? How about extra goodies like an ice maker in the fridge, or an air fryer and so on? Diving deeper, let’s talk dishwasher. Do we need one? When mine broke down during COVID and it took 6 months to replace it, I gained a whole new appreciation. This might provide a good conversation around the cleanliness control of hand-washed vs machine-washed dishes as we look at the efficiency of our kitchen standards. So, writing up our assertion of kitchen appliance sufficiency, we might start with the gold standard, leave out what we don’t have, and then highlight any extras that our kitchen has. Sign off on it – we meet the general expectation of sufficiency. We meet the "spirit" of the guidance.

Back to tone from the top, we might anecdotally point to our code of ethics, whistle-blower provision and employee handbook as salient documentation. Signage around the bank. Messaging in annual meetings and reports. Integrity as one of our core values or pillars. Annual ethics training for employees. Annual ethics training for directors. If we can’t assert all of those things, are we deficient? No. We just need to narrate which of those items are key components of our ethics culture, leaving out what we don’t (yet) do. If we’re not doing many of those things, there’s work to do.

The principles relative to accountability, responsibility, competency go down this same rat hole with nothing specifically “testable” only “assertable”. Do we need to test that we have an orgchart or can we assert so? Do we need to test that we have Board minutes or can we assert so? A little trickier, but can we assert that our annual outsourced IT audit covers “these” 12 items (like patch management, password controls, social engineering testing, etc)? Do we really need to independently “test” existence? Do we meet the spirit of guidance? I think the narrative assertion does so.

We’ve received 60+ sign-offs from audit firms that this approach suffices. More importantly we’ve never had an audit firm reject this approach. Let us know if we can help.

Thanx for listening,

Banquer Dave