Quality information

                        Might be a rock n’ roll addict, prancing on the stage

                        Might have money and drugs at your command, women in a cage

                        You may be a business man or some high degree thief

                        They may call you Doctor or they may call you Chief

 

                        But you’re gonna’ have to serve somebody, yes indeed

                        Your gonna’ have to serve somebody.

                        Well, it may be the devil, or it may be the Lord

                        But you’re gonna’ have to serve somebody.

Bob Dylan, Gotta’ Serve Somebody

 

My business is minuscule, but that doesn’t exempt me from having to formalize my information processes and comply with reporting requirements of oversight entities.

Every year, I send a detailed report of my CPE offerings to the National Association of State Boards of Accountancy (NASBA).  They want to know how many classes I offered, who taught them, where they were offered and for what group, the date of the classes, and the number of hours granted.

The first year I prepared the report, I suffered.  I had to dig up physical files from earlier in the year and reconstruct all of the data, so I could input it into the report.  Slog!  It took days to put it together, and when I was finished, NASBA sent it back to me because it wasn’t formatted correctly.  Really?  More time, more suffering.

The State of Texas Board of Accountancy requires similar information, but their report has to be handwritten!  Hand… friggin… written… with an ink pen.  That takes a while to complete…

I realized after that first fiasco that I needed to go paperless and track the information I needed throughout the year rather than wait to gather the data at the last minute.  My assistant Chelsea and I have a checklist of all of the documents we must collect after each class, and we maintain a running spreadsheet of the data I am required to report.  All of the information is kept in a Dropbox file that she and I share and update each time I teach.  No more messy paper files.

This year, I only spent a few hours creating both reports!  And on top of that fabulous achievement, I also feel more confident in the information I am reporting because Chelsea and I double-check each other throughout the process.

I also have to report my income to the IRS every year.  When I first started my business, I reasoned that I could keep the books myself because I am a CPA. The only problem is, I do not enjoy bookkeeping.  I waited until the end of the year to force myself to sit down and input transactions into QuickBooks.

As you can imagine, I forgot the purpose of several payments that occurred early in the year and had to SWAG a description of the transactions.  SWAG stands for Sophisticated Wild Ass Guess.   After about five SWAGS, I decided I needed to stop the madness and hired a real bookkeeper, Carol, who keeps contemporary information on my business.  Carol sends me up-to-date financials every Monday, and when it is time to report to the IRS, all the transactions are there, ready to report.  No SWAGs necessary.

I have learned the hard way that thinking of the info you need to accumulate and share in advance is better than trying to gather it – and guess at it – months or even a year later.

The Green Book is Out to Save You from Suffering

The authors of the COSO model and Green Book must have gone through similar experiences.  So, they advise us to think ahead about the information that needs to be shared and to make sure the data shared is valid.

In the chapter on Information and Communication they ask us to apply three principles:

13. Management should use quality information to achieve the entity’s objectives.

14. Management should internally communicate the necessary quality information to achieve the entity’s objectives.

15. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

Principle #13 – no SWAGs

Auditors are trained to never take anyone’s word on anything.  Auditors are trained to seek convincing evidence and not base any conclusions on testimony.  Because both of my above reports could be audited, I am prepared to back up all of my data with original documents!  For instance, the information I send to NASBA about the classes I offer is backed up with sign-in sheets from attendees.  And the transactions in my accounting records are backed up with receipts and bank statements.

The first principle under the Information and Communication component advises us to put controls in place to make sure all of the information in the reports is valid and backed up with evidence.  Three attributes apply to this principle:

13.01 Management should use quality information to achieve the entity’s objectives.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

• Identification of Information Requirements
• Relevant Data from Reliable Sources
• Data Processed into Quality Information

Attribute 1: Figure out who wants the information and what information they need

This attribute asks “Who cares about whether your work succeeds or whether your controls are functioning?”  Our case study objective, is Do controls prevent the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?   I imagine that the following folks will care if the coach is making personal purchases:

• The director of the athletic department
• The executive team of the school
• The school board
• The citizens of the school district

Once we have a sense of who we will be sharing information with, we need to find out what they want to know.  We can inquire of the stakeholders directly, or we can make some assumptions about what they need. Knowing what they want rather than guessing what they want is best because the frequency and accuracy of information costs time and money; it is a waste of resources to generate and report information they don’t need.

Section 13.03 says that the process of identifying what stakeholders need is an iterative process… in other words, you will have to redesign the content of your reports several times before you hit on content that is meaningful to the stakeholders.

Here is what the Green Book has to say about this attribute.

Identification of Information Requirements

13.02 Management designs a process that uses the entity’s objectives and related risks to identify the information requirements needed to achieve the objectives and address the risks. Information requirements consider the expectations of both internal and external users. Management defines the identified information requirements at the relevant level and requisite specificity for appropriate personnel.

13.03 Management identifies information requirements in an iterative and ongoing process that occurs throughout an effective internal control system. As change in the entity and its objectives and risks occurs, management changes information requirements as needed to meet these modified objectives and address these modified risks.

Attribute #2: Who you get the information from matters

It is always preferable to get your evidence – or the back-up for your reports – from objective third parties.  So, instead of asking the coach to describe his own transactions, source your information from the credit card statement.  The credit card company has no reason to disguise the purpose of purchases, but the coach does.  If any transaction looks iffy, you could ask for original receipts from the coach.

From the Green Book:

Relevant Data from Reliable Sources

13.04 Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements. Relevant data have a logical connection with, or bearing upon, the identified information requirements. Reliable internal and external sources provide data that are reasonably free from error and bias and faithfully represent what they purport to represent. Management evaluates both internal and external sources of data for reliability. Sources of data can be operational, financial, or compliance related. Management obtains data on a timely basis so that they can be used for effective monitoring.

Attribute #3: Don’t let anyone doctor the report before it is published

The last attribute addresses how the evidence is processed.  The true financial results for Enron, which were created from reliable and relevant evidence by the Enron accounting department, didn’t look that attractive, so the Enron executives made a few fraudulent changes to the reports before they were published.  Obviously, we don’t want to allow bogus changes to our reports in order to make the results look more acceptable.

This is what the Green Book has to say about processing data.

Data Processed into Quality Information

13.05 Management processes the obtained data into quality information that supports the internal control system. This involves processing data into information and then evaluating the processed information so that it is quality information. Quality information meets the identified information requirements when relevant data from reliable sources are used. Quality information is appropriate, current, complete, accurate, accessible, and provided on a timely basis. Management considers these characteristics as well as the information processing objectives in evaluating processed information and makes revisions when necessary so that the information is quality information.  Management uses the quality information to make informed decisions and evaluate the entity’s performance in achieving key objectives and addressing risks.

13.06 Management processes relevant data from reliable sources into quality information within the entity’s information system. An information system is the people, processes, data, and technology that management organizes to obtain, communicate, or dispose of information.

Answering Who, What, When, Where & How

So, now that the Green Book has prompted you to answer the who and what questions –who you need to communicate with and what information they need –  principles 14 & 15 prompt us to answer the when, where, and how questions.

The content of principle  14 & 15 are very similar.  Principle 14 focuses on internal reporting and principle 15 focuses on external reporting.  Both ask that we consider:

• Audience – The intended recipients of the communication
• Nature of information – The purpose and type of information being communicated
• Availability – Information readily available to the audience when needed
• Cost – The resources used to communicate the information
• Legal or regulatory requirements – Requirements in laws and regulations that may impact communication

A report for our case study

Let’s make up a report for our case study example.  Remember our control objective is:

Do controls prevent the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459? 

Thinking through each of the prompts given in section 14.07 and 15.07:

Audience

The intended recipients of the communication

The school board and the public.

Nature of information

The purpose and type of information being communicated

This report will contain a bar graphic for each user of the purchasing card and will look something like this:

It will also include a detailed list of transactions for each cardholder that will include the date of the transaction, the vendor, the amount of the purchase, and the items purchased.

Availability

Information readily available to the audience when needed

The board will receive the report every month via email and the report will be available to the public on the school’s website after the board has reviewed it.

Cost

The resources used to communicate the information

Accounting has the transaction information readily available in the general ledger, but it is not separated by user.  So, the initial cost to set up individual accounts for each user will require some customization of the accounting software.  But, once it is set up, the report should only take an accountant an hour to create and email to the board.  The webmaster will have to post the report to the site, and that should take about 30 minutes.

Legal or regulatory requirements

Requirements in laws and regulations that may impact communication

This report will not help satisfy any regulatory requirements imposed by the state or federal government. However, the Comptroller of the State will award us a ‘Transparency’ award and will feature our report on their website if we meet their award criteria.

Information and Communication is the most straightforward component

The information and communication component of the COSO model/Green Book advises us to make sure that the information we share is valid and communicated in a manner that is helpful to stakeholders.  In my opinion, it is the most straightforward and clear component of the COSO model/Green Book.

So far, we have covered three components of the COSO model/Green Book – the risk assessment component, the control activities component and the information and communication component.  In the next chapter, we will cover the monitoring component.