Post on 23-Jan-2015
description
Presentation to San Jose State University
December 7, 2006
Presenters
Jerry Meyers, TR Senior Manager
Jerry.meyers@protiviti.com
Jagdish Pandey, TR Assoc. Director
Jagdish.pandey@protiviti.com
Dina Talerico, IA Senior Manager
Dina.talerico@protiviti.com
Objectives
• Who is Protiviti?• What We Do – Risk Consulting Defined• Our Vision, Mission and Core Values• Our Accomplishments• Our Locations, Our Clients• Behind the Enron Scandal• The Protiviti Story
• The Financial Statement Risk Assessment Process
• Sarbanes-Oxley Overview• Our Approach/Methodology• FS Prioritization Process
• Questions and Wrap-Up
Who is Protiviti?
Who is Protiviti?
Protiviti is a leading provider of independent risk consulting and internal audit services.
What We Do - Risk Consulting Defined
The discipline of:• Identifying, sourcing and measuring risk
• Formulating risk management strategies
• Designing and implementing capabilities for avoiding, retaining, reducing, transferring and exploiting risk
• Monitoring risk within acceptable tolerance levels
In Other Words…
We help clients understand their risks and how they can turn them into a competitive advantage.
Protiviti’s Vision and Mission
• VisionTo be recognized as the Premier Global Risk Consulting and Internal Audit Service Company.
• MissionTo constantly improve how businesses manage risk. We will develop deep competencies in people which enhance their value. We will bring unparalleled expertise to clients in risk management.
Protiviti Embodies Our Core Values
professionalism
productiviti
proactiviti
objectiviti
creativiti
integriti
… Experienced Professionals with Proven Processes, Methodologies and Tools
… Focused on Risk Consulting
… A Driven Organization
… Independent
… Financially Strong
… A Strategic Advantage to Meet Your Resource Needs
… “Passionate About our Clients”
Protiviti core values: We are:
quality
Why Protiviti?Protiviti fills a unique and valuable position in the market, as depicted below. Protiviti brings a unique blend of knowledge and experience to the table which combines the focus, dedication and independence of a boutique firm, with the methodologies & tools, global presence, and deep skill sets of the Big 4.
Boutique:• Responsive client service• Lack of SEC restrictions• Independent from attest &
tax services• Better teaming with
external auditors• Focus on core offerings• Fee flexibility
Big Four:• Methodologies & tools• Experienced professionals• Depth of risk consulting
services• Financial & management
stability• Recognized• Global presence
Protiviti combines the strengths
of the large consulting
companies and independent
alternatives…without
compromise
Accomplishments• Growth in the number of Protiviti employees and
locations• Recent quarterly earnings• Implementation of a company Intranet, iShare,
with cutting-edge knowledge management solution
• Recognized as a thought leader through our SOA and Internal Audit FAQs
• National alliances and partnerships• Continued training development initiatives
Protiviti employs over 2200 professionals in more than 50 locations in North America, Latin America, Europe, Asia and Australia.
Protiviti Locations
*All logos used with client permission
Our client experience includes organizations across all major industries from global Fortune 500 corporations to small, privately-held, local institutions.*
Protiviti Clients
Our Practice
Our product offerings offer a breadth of internal audit and business and technology risk solutions.
Business Risk Technology Risk Internal Audit
• Application Effeteness Solutions
• Change Management Solutions
• Continuity Solutions
• Identity management
• IT Asset Management Solutions
• Program Management Solutions
• Security and Privacy Solutions
• Audit Committee Advisory
• IA Technology/Tool
Implementation
• Internal Audit Co-Sourcing
• Internal Audit Full Outsourcing
• Internal Audit QA Review
• Internal Audit Transformation
• IT Audit Services – Start up
and Development Advice
• Corporate Governance
• Event Response
• Financial Risk
• Operational Risk
Partial Outsourcing
Full In-House
Limited Consulting/
Ad Hoc Projects
Strategic Sourcing
Specialized Skills
Arrangement
Co-Sourcing
Full Outsourcing
Single Audit Director Model
Recurring Co-Sourcing
Strategic Partnering
An outsourcing provider should have the flexibility to tailor the delivery options to meet the needs of your organization in the short-term and long term. Some common outsourcing options are listed below.
• Ad hoc consulting work and execution of internal audit projects on an “as needed” basis.
• Examples: transformation/benchmarking, facilitation, IA training, quality assurance reviews, selected internal audits, loan of personnel.
• Internal Audit leverages specialized skills/knowledge from outsource provider for specific projects.
• Examples: IT, Fraud, International, Self Assessment.
• Internal Audit partners with outsource partner to manage and execute the IA function, sharing all knowledge, proprietary tools, methodologies, and training, as well as providing substantial amount of resources on a recurring, long-term basis.
• Internal Audit department teams with outsource partner for resources on regular, ongoing basis, generally spanning multiple years.
• Internal Audit Director manages internal audit function and reports to CFO and Audit Committee.
• Director is responsible for implementing the internal audit plan using outsource partner resources to execute.
Internal Audit
Business Risk
Corporate Governance • Enterprise Risk Management • Sarbanes-Oxley • Self-Assessment • J-SOX
Financial Risk • Basel II Services • Credit Risk • Trading & Commodities Risk • Treasury Risk
Risk Technology Solutions (RTS) • Discoveri • Dynamic Policy • Protiviti's Governance Portal • Resolver Suite Event Response • Fraud Risk Management • Financial Investigations • Litigation Consulting
Operations Risk • Capital Projects & Construction Risk • Finance Process Effectiveness • Financial Reporting Risk Services • Regulatory Risk Consulting • Revenue Risk Services • Spend Risk Solutions • Supply Chain Risk Management
Technology Risk
Behind the Enron Scandal
• In March 2002, the US Justice Department indicted Arthur Andersen for obstruction of justice. Within 2 weeks, many of Andersen’s Fortune 100 Clients had announced going with another firm.
• Protiviti launched in May, 2002 with approximately 700 ex-Arthur Andersen employees that had just lost their jobs as a result of the Enron scandal
• In June 2002, jurors convicted Andersen for obstructing justice by destroying Enron Corp related documents
• The conviction forced Andersen out of business, as the remaining 28,000 employees (two thirds of their workforce) were forced to lose their jobs and the firm was suspended from practicing audit
• Three years later the Supreme Court overturned the ruling saying Andersen was convicted without proof that its shredding of documents was deliberately intended to undermine the SEC’s investigation of Enron
The Protiviti Story• Protiviti’s launch in 2002 with only 700 employees was the result of
an employment agreement between Robert Half International (“RHI”) and Arthur Andersen
• Protiviti was formed as a wholly-owned subsidiary of RHI (a $3.3 billion dollar public company specializing in staffing) and today employs more than 2,200 professionals in more than 50 offices in the Americas, Asia-Pacific and Europe
• Protiviti and the RHI divisions refer each other to clients for new business
• RHI staffs the appropriate contractors to augment Protiviti engagement teams
• RHI and Protiviti use the same shared services for Accounting, IT, Operations, etc.
QUESTIONS?
BREAK
The Financial Statement Risk Assessment Process
23© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Sarbanes-Oxley Overview
Section 301: Publicly traded companies are required to establish a procedure for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters.
Section 302: Management must evaluate the design and operational effectiveness of its disclosure controls and procedures quarterly (disclosure controls include internal controls).
Section 404: Management is required to file an internal control report with their annual report, stating –
Management’s responsibilities to establish and maintain adequate internal controls and procedures for financial reporting
Management’s conclusion on the effectiveness of these internal controls at year end
That the company’s public accountant has attested to and reported on management’s evaluation of internal controls over financial reporting
Section 906: Expressly imposes criminal penalties if the information contained in the periodic report does not fairly represent, in all material respects, the financial condition and results of the operations of the issuer.
24© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Components of Internal
Control Reporting
Process Management (SarbOx PortalTM)Process Management (SarbOx PortalTM)
Assessment Management (The Self AssessorTM)Assessment Management (The Self AssessorTM)
Knowledge ManagementKnowledge Management
PHASE I PHASE II PHASE III PHASE IV
Financial Reporting Requirements
Financial Reporting Requirements
Relevant ProcessesRelevant Processes
Internal ControlReport
Internal ControlReport
Process RisksProcess Risks
Control DesignControl Design Control ImprovementsControl Improvements
Control OperationControl Operation
Entity-Level Controls
Entity-Level Controls
Assess Current State and Identify
Relevant Processes
Assess Current State and Identify
Relevant Processes
Set Foundation
Set Foundation
Project Management Knowledge Sharing Communication Continuous Improvement
Document Design and Evaluate
Critical Processes and Controls
Document Design and Evaluate
Critical Processes and Controls
Design Solutions for Control Gaps
Design Solutions for Control Gaps
Implement Solutions for Control Gaps
Implement Solutions for Control Gaps
ReportReportProtiviti’sApproach
Our Approach/Methodology
SarbanesDiagnosticsSarbanes
Diagnostics
Tools &Technology
IT ControlsIT Controls
IT Organization
and Structure
IT Organization
and Structure
IT Entity-Level Control Evaluations
IT Entity-Level Control Evaluations
IT Process Level Control Evaluations
IT Process Level Control Evaluations
IT Control Considerations
25© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Our Approach: Detailed Project Steps
• Organize project
Develop project plan
• Agree on approach/reporting requirements
Set Foundation
Perform entity-level controls assessment
Select financial statement elements, processes and locations
Documentation standards – level of depth, assertions and control objectives
Inventory existing control documentation
Testing approach
PHASE I: Assess Current State and Identify Relevant Processes
• Document processes
• Source risks (what can go wrong?)
• Document controls
• Assess design
• Validate operation
PHASE II: Document Design and Evaluate Critical Processes and
Controls
Evaluate nature of identified deficiencies
• Decide deficiencies requiring correction
• Design and document improvements
PHASE III: Design Solutions for Control Gaps
• Build improvements
• Roll out improvements
• Test improvements
• Update policies and procedures
• Provide training
• Measure performance
Formulate conclusions with respect to internal controls over reliability of financial reporting
• Provide results and documentation to external audit for attestation process
• Conclude attestation process
• Write internal controls report
ReportPHASE IV: Implement Solutions for
Control Gaps
26© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
FS Prioritization Process: Selecting Financial Reporting Elements
Factors to consider in determining key financial reporting elements:
• Materiality of financial statement items
• Degree of volatility of the recorded amount over time
• Degree of subjectivity used in determining account balance
• Susceptibility to error or omission as well as loss or fraud
• Complexity of calculation
Additional factors to consider might include the following:
• Velocity of account - the speed of transactions through the account
• Nature and types of errors and omissions that could occur, i.e., “what can go wrong”
• Volume, size, complexity and homogeneity of the individual transactions processed through a given account or group of accounts
• Disclosures / footnotes in financial statements
• Prior year external auditor management letter comments
MaterialityDegree of volatility of
recorded amount
Subjectivity in determining account
balance Susceptibility to
loss or fraud Complexity of calculation
OVERALL RATING
Balance Sheet
Assets Cash & Cash Equivalents
Cash low medium low medium low low
Temporary Cash Investments low medium low medium low low
Accounts Receivable
Receivables-Gross high medium low medium low high
Allowance for Doubtful Accounts low medium high low high high
Receivables-Value Added Tax (VAT) low medium low low low low
Receivables-Other (A/R vs A/P NTrade) low medium low high low medium
Receivables-Employee low medium low high low medium
27© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
FS Prioritization Process: Linking Accounts to Processes
Business Cycles Equity Taxes IT
OVERALL FS
RATING M
anag
ing
Cas
h an
d
Inve
stm
ents
Bor
row
ings
Ord
er M
anag
emen
t
A/R
Cre
dit
and
Col
lect
ions
Bad
Deb
t A
llow
ance
Shi
ppin
g an
d B
illin
g
Rev
enue
Res
erve
s
Inve
ntor
y C
ostin
g an
d C
ost
of
Goo
ds S
old
Inve
ntor
y R
eser
ves
Inve
ntor
y M
anag
emen
t
Pur
chas
ing
Acc
ount
s P
ayab
le a
nd C
ash
Dis
burs
emen
ts
Ass
et M
anag
emen
t
Am
ortiz
e P
repa
ids
and
Inta
ngib
les
Man
age
Tra
vel a
nd E
nter
tain
men
t
Exp
ense
s
Em
ploy
ee M
aste
r F
ile M
aint
enan
ce
Pay
roll/
Em
p. B
enef
its L
iab.
Ince
ntiv
e C
ompe
nsat
ion
Sto
ck C
omp
and
Adm
inis
trat
ion
Inco
me
Tax
Pro
visi
on &
Com
plia
nce
Clo
se t
he B
ooks
Fin
anci
al S
tate
men
t
Dis
clos
ure
Bud
getin
g/F
orec
astin
g/M
gt
Rep
ortin
g
IT -
Gen
eral
Con
trol
s
OVERALL PROCESS RATING H L H H L M M M M M M M M L H M M M M L H M M HAssetsCurrent Assets:
Cash & cash equivalents HIGH H H H H HAvailable for sale investments MEDIUM M M M M MAccounts Receivable, net
Accounts Receivable HIGH H H H H H H HAllowance for Doubtful Account LOW L L L L LAllowance for Sales Returns MEDIUM M M M M MAllow. for Cash Disc. Taken MEDIUM M M M M MAllowance for Rebates MEDIUM M M M M MAllowance for Price Discounts MEDIUM M M M M M
InventoriesRaw materials MEDIUM M M M M M M MWIP MEDIUM M M M M M MFinished goods HIGH H H H H H HInventory variances LOW L L L L LLabor & OH capitalized LOW L L L L LInventory reserves MEDIUM M M M M M
Prepaid expenses and other current assetsPrepaid expenses LOW L L L L LAR LOW L L L L LAccrued Interest Receivable LOW L L L L LOther LOW L L L L L
Available for sale investments (non-current)MEDIUM M M M M MProperty and equipment, net MEDIUM M M M M MOther assets
Deposits LOW L L L L LLicenses LOW L L L L LOther LOW L L L L L
Treasury Payroll Financial ReportingRevenue Conversion Expenditure
28© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Processes
Revenue Processes:• Order Management• Shipping and Billing• Accounts Receivables and Collections• Allowances• Revenue Reserves
Expenditure Processes:• Purchasing• AP & Cash Disbursement• Asset Management• Amortize Prepaid and Intangible Assets• Manage Travel and Entertainment
Conversion Processes:• Inventory Costing & COGS• Inventory Reserves• Inventory Management
Financial Reporting:• Close Process and Consolidation• Financial Statement Reporting and Disclosure• Budgeting, Forecasting and Management Reporting
HR and Payroll:• Employee Master File Maintenance• Payroll and employee benefit liabilities• Incentive Compensation
Treasury:• Managing Cash and Investments• Borrowings
Equity:• Stock Compensation and Administration
Taxes• Income Tax Provisions and Compliance
Information Technology• IT General Controls
Sig
nif
ican
ce
Lo
wH
igh
Low
Inventory Costing & Cost of Sales
Risk High
AR& Collections
Borrowings
Amortize Prepaid & Intangible Assets
Stock Compensation & Administration
Managing Cash and Investments
Shipping andBilling
Manage Travel & Entertainment
Expenses
Payroll&Employee Benefit
Liabilities
RevenueReserves
AP& Cash Disbursements
Tax Compliance
AssetManagement
IT
Order Management
Bad DebtAllowances
Inventory Reserves
Inventory Management
Purchasing
EmployeeMaster File
Maintenance
IncentiveCompensation
Close Process & Consolidation
Budgeting
Financial Statement Reporting &Disclosures
FS Prioritization Process: Risk Map
The Financial Statement Risk Assessment Process“Technology Coverage”
30© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Our Approach: Linkage to IT
DocumentProcesses
SourceRisks
DocumentControls
AssessDesign
Report
Select PriorityElements
ValidateOperation
• Select the priority accounts and disclosures• Consider significance to financial reporting and risk of misstatement
• Document the transaction flows that materially impact the priority financial elements
• Use financial reporting assertions to source “what can go wrong” within the processes
• Document entity controls (“tone at the top”)• Document the controls at the source of the risk (preventive) or
downstream in the process (detective)
• Assess effectiveness of controls design at entity and process levels
• Conclude• Communicate• Report
• What are the controls?• Who owns the controls?
• What are the risks?
• How is the controls design rated?
• How are the controls performing?
The IT work builds on these
steps
31© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Our Approach: Linkage to IT
IT General Controls
• Program development• Program changes
• Program operations• Access control
• Control environment
IT General Controls
• Program development• Program changes
• Program operations• Access control
• Control environment
Application Controls•Accuracy
•Completeness• Validity
• Authorization• Segregation of duties
• etc...
Application Controls•Accuracy
•Completeness• Validity
• Authorization• Segregation of duties
• etc...
Business Processes / Classes of TransactionsBusiness Processes / Classes of Transactions
Process AProcess A Process BProcess B Process CProcess C
Financial ApplicationsFinancial ApplicationsApplication AApplication A Application BApplication B
IT Infrastructure ServicesIT Infrastructure Services
NetworkNetwork
Operating SystemOperating System
DatabaseDatabase
Application BApplication B
Significant Accounts in Financial StatementsSignificant Accounts in the Financial StatementsBalance
SheetBalance
SheetIncomeIncome
Statement SCFPSCFP NotesNotes OtherOther
Source: IT Governance Institute – IT Control Objectives for Sarbanes-Oxley, April 2004
32© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Our Approach: ITGC Scope
ObjectivesDevelopment (SDLC) and Change Management• Acquire or Develop Application Software• Acquire Technology Infrastructure• Install and Test Application Software and
Technology Infrastructure• Manage Changes
Access and Security• Ensure Systems Security (Physical, Network,
Operating System, Database and Application
levels)
Manage the Configuration Operations• Manage Problems and Incidents• Manage Data• Manage Operations• Define and Manage Service Levels• Manage Third-party Services
33© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Our Approach: ITGC Scope
Applications
34© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.
Application Controls
IT General Controls
• Program development• Program changes
• Program operations• Access control
• Control environment
IT General Controls
• Program development• Program changes
• Program operations• Access control
• Control environment
Application Controls•Accuracy
•Completeness• Validity
• Authorization• Segregation of duties
• etc...
Application Controls•Accuracy
•Completeness• Validity
• Authorization• Segregation of duties
• etc...
Business Processes / Classes of TransactionsBusiness Processes / Classes of Transactions
Process AProcess A Process BProcess B Process CProcess C
Financial ApplicationsFinancial ApplicationsApplication AApplication A Application BApplication B
IT Infrastructure ServicesIT Infrastructure Services
NetworkNetwork
Operating SystemOperating System
DatabaseDatabase
Application BApplication B
Significant Accounts in Financial StatementsSignificant Accounts in the Financial StatementsBalance
SheetBalance
SheetIncomeIncome
Statement SCFPSCFP NotesNotes OtherOther
Source: IT Governance Institute – IT Control Objectives for Sarbanes-Oxley, April 2004
QUESTIONS?