1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal...
-
Upload
reynold-stafford -
Category
Documents
-
view
218 -
download
0
Transcript of 1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal...
1
404 Readiness Review: Documenting Your System of
Internal Control
404 Readiness Review: Documenting Your System of
Internal Control
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley Act
May 21, 2003
1:00 – 2:30 pm Eastern Time
2
The IIA Webcast ModeratorThe IIA Webcast ModeratorThe IIA Webcast ModeratorThe IIA Webcast Moderator
Jim Key, CIAManaging Partner
Shenandoah Group, L.L.P
3
Webcast Series on SOAWebcast Series on SOA
Fostering Compliance with SOA:
Internal Auditor’s Role
• Four sessions archived on IIA’s website and available on CD
• Originally aired January 28 – April 15, 2003
4
Webcast Series on SOA - Continues
Webcast Series on SOA - Continues
Emerging Trends & Best Practices in
Implementing SOA• Six Sessions archived on IIA’s website and available
on CD• May 21 – 404 Readiness Review: Documenting Your
System of Internal Control• June 10 – Helping the Audit Committee Implement
Complaint Handling• Remaining sessions with your input will be on July
8, August 12, September 9 and September 30
5
AgendaAgenda
1:00 Introductions and Overview
1:10 Critical Decisions on DocumentingInternal Controls - Bill Gassel
1:20 Implementing Sarbanes-Oxley Sec 404 -
Dennis Drent
1:30 Maintaining Objectivity - Paul Sobel
1:45 Break
1:50 Questions and Answers - Panel
2:25 Wrap up - Jim Key
6
Critical Decisions for Documenting Internal Controls
Critical Decisions for Documenting Internal Controls
Bill Gassel, CPADirector of Internal Audit
Emerson
7
ChronologyChronologyNov ‘02 Formed core team & established goals & timetable
Nov ‘02 Selected the documentation methodology & created a pilot questionnaire
Dec ’02 Conducted pilots at 9 sites worldwide
Dec ’02 Started on website to facilitate documentation collection
Jan ’03 Led training and documentation rollout
Mar ’03 Divisions completed documentation -(tremendous effort) Internal Audit reviewed for sufficiency
May ’03 Executing the testing plan
8
Key Initial DecisionsKey Initial Decisions
Documentation decisions made early on:
• Where?
• What format (narratives, flowcharts, questionnaires, or a combination)?
• What accounts or processes?
• How much must be documented?
• Who should certify?
• Who will own/maintain the documentation?
• How to train everyone?
11
Note:
"Yes" answers require the following criteria :
1. Describe the control procedure in detail.
2. Who performs the control (employee title) and who reviews it?
3. Frequency of Control (daily, monthly, quarterly etc.)
4. Automated system or Manual control.
"No" answers require :
1. What mitigating controls exist to achieve control objective.
2. Who performs mitigating controls & how often?
3. If no mitigating controls exist, how will the deficiency be fixed?
"N/A" answers require :
1. Explain 'why' the control does not apply to the location.
Guidance for Control Descriptions
Guidance for Control Descriptions
12
Beneficial StepsBeneficial Steps
• Executive management support obtained
• Involved the Controllership function early
• Communicated early with KPMG and E&Y to interpret likely standards
• Standardized the documentation format
• Used pilot process to gain practical insights
• Collaborated with internal process experts to validate questionnaire focus
13
Beneficial StepsBeneficial Steps• Held central training for all Finance Officers
• Created an “Example Completed ICQ”
• Tailored the questionnaire for smaller and international sites
• Reviewed a majority of the documentation for sufficiency
• Started testing controls 5 months prior to year-end (10 – 12,000 hours of effort) - significant locations first
14
Current 404 ConsiderationsCurrent 404 Considerations
• Develop Evaluation Methodology with Management
– Which locations and controls will be tested?
• Accumulating and aggregating the testing results
• Broadening the evaluation methodology into ERM
• Migrating Control Questionnaire platform to CSA process
• Minimizing redundancy of testing between Internal and external auditors
• Availability of qualified staff
15
Steps in Implementing Sarbanes-Oxley Sec. 404
Steps in Implementing Sarbanes-Oxley Sec. 404
Dennis DrentVice President – Internal Audit
Nationwide Insurance
16
Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404Nov. 2002
Dec. 2002
Jan. 2003
Feb. 2003
Mar. 2003
Apr. 2003
May 2003
Select Executive Sponsor and assemble team XDevelop evaluation strategy including use of technology XDocument key controls relating to financial reporting process X X X X
Train control and executive owners X XFirst quarter certification and verification process completed X X X
Jun. 2003
Jul. 2003
Aug. 2003
Sep. 2003
Oct. 2003
Nov. 2003
Dec. 2003
Control scrubbing, gap analysis, and control evaluation X X XRevise/redesign controls as deemed necessary X XManagement prepared to assert XKPMG attestation work X X X
Section 404 Steps Completed
Section 404 Steps to Do
3
4
5
8
2
1
9
7
6
17
Nov.
2002
Dec.
2002
Jan.
2003
Feb.
2003
Mar.
2003
Apr.
2003
May
2003
Select Executive Sponsor and assemble team X
Develop evaluation strategy including use of technology
Document key controls relating to financial reporting process
Train control and executive owners
First quarter certification and verification process completed
Section 404 Steps Completed
3
4
2
1
5
Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404
18
• “CEO friendly” technology solution.
• Lotus Notes database allows for analysis and reporting. No flow charts.
• Used drop-down boxes for everythingwe could.
• Control and executive owners verses process owners.
• Internal Audit “owns” the database - the business owns the controls.
2 Develop evaluation strategy including use of technology
19
Nov.
2002
Dec.
2002
Jan.
2003
Feb.
2003
Mar.
2003
Apr.
2003
May
2003
Select Executive Sponsor and assemble team
Develop evaluation strategy including use of technology
Document key controls relating to financial reporting process
X X X X
Train control and executive owners
First quarter certification and verification process completed
Section 404 Steps Completed
3
4
2
1
5
Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404
20
Nov.
2002
Dec.
2002
Jan.
2003
Feb.
2003
Mar.
2003
Apr.
2003
May
2003
Select Executive Sponsor and assemble team
Develop evaluation strategy including use of technology
Document key controls relating to financial reporting process
Train control and executive owners X X
First quarter certification and verification process completed
Section 404 Steps Completed
3
4
2
1
5
Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404
21
• Control and executive owners certify in database - separate verification process.
• 30% of controls were changed, over 100 controls eliminated.
• Internal Audit administers “change” questionnaire and consults on verification procedures.
• Results of control certification/verification process reported to Disclosure Committee.
5 First quarter certification and verification process completed
22
• Time to bring in the external auditors - jointly define “internal control adequacy.”
• At this point, most work performed by external auditor will be “audit services” and therefore mitigates independence conflict.
6 Control scrubbing, gap analysis, and control evaluation
23
Jun.
2003
Jul.
2003
Aug.
2003
Sep.
2003
Oct.
2003
Nov.
2003
Dec.
2003
Control scrubbing, gap analysis, and control evaluation
Revise/redesign controls as deemed necessary X X
Management prepared to assert
KPMG attestation work
Section 404 Steps Completed
8
9
7
6
Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404
24
Jun.
2003
Jul.
2003
Aug.
2003
Sep.
2003
Oct.
2003
Nov.
2003
Dec.
2003
Control scrubbing ,gap analysis, and control evaluation
Revise/redesign controls as deemed necessary
Management prepared to assert X
KPMG attestation work
Section 404 Steps Completed
8
9
7
6
Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404
25
Jun.
2003
Jul.
2003
Aug.
2003
Sep.
2003
Oct.
2003
Nov.
2003
Dec.
2003
Control scrubbing, gap analysis, and control evaluation
Revise/redesign controls as deemed necessary
Management prepared to assert
KPMG attestation work X X X
Section 404 Steps Completed
8
9
7
6
Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404
26
Maintaining ObjectivityMaintaining Objectivity
Paul SobelVice President, Risk Assessment
Aquila, Inc.
27
Corporate Governance Framework
Corporate Governance Framework
Corporate Stakeholders
Board of Directors
Governance “Umbrella”
Risk Management
Senior Management
Risk Owners
Assurance
Internal Auditors
External Auditors
28
Sarbanes-Oxley Act
Board of Directors
Governance “Umbrella”
Risk Management
Senior Management
Risk Owners
Assurance
Internal Auditors
External Auditors
Se c
. 40
4S
ec. 404Corporate Governance
FrameworkCorporate Governance
Framework
29
Objectivity StandardsObjectivity Standards
• Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.
– State of mind
– Personal feelings or prejudices shouldn’t distort the facts
• Cannot act in a management role or make management decisions
30
The Audit ProcessThe Audit ProcessAudit Phase Approach Audit Evidence
1. Project Objective Determined in Annual Audit Plan
Planning Memo
2. Risk Assessment Identify/Assess Key Risks Risk Memo/Matrix
3. Process Design Understand Process and Identify Key Controls
Flowcharts & Memos
4. Gap Analysis Evaluate Current vs. Desired State
Findings and Recommendations
5. Process Effectiveness
Develop and Execute Testing Plan
Testing Results
6. Gap Analysis Evaluate Current vs. Desired State
Findings and Recommendations
7. Reporting Communicate Results Audit Report
31
The Sarbanes-Oxley 404 ProcessThe Sarbanes-Oxley 404 Process
Audit Phase Approach Audit Evidence
1. Project Objective Understand S-O 404 Requirements Project Planning Memo
2. Risk Assessment • Link F/S Captions to Processes• Assess Risks to F/S Assertions
F/S / Risks / Assertions Linkage
3. Process Design Understand Processes & Identify Key Controls Over Financial Reporting
Flowcharts & Memos
4. Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans
5. Process Effectiveness
Develop and Execute Assurance/ Testing Plan
Testing Results
6. Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans
7. Reporting Update Key Control Effectiveness (Control Owner Assertions)
Self Assessments and Audit Reports
32
Maintaining ObjectivityMaintaining ObjectivityAudit Phase Approach What Can IA Do?
1. Project Objective
Understand S-O 404 Requirements
No issues; objectives set by 3rd party (SEC)
2. Risk Assessment
• Link F/S Captions to Processes• Assess Risks to F/S Assertions
Make risk judgments; must gain mgmt. concurrence
3. Process Design Understand Processes & ID Key Controls Over Financial Reporting
Document processes; based on mgmt. input and validation
4. Gap Analysis Evaluate Current vs. Desired State Make judgments; validate with mgmt.
5. Process Effectiveness
Develop and Execute Assurance/ Testing Plan
Determine what to test and evaluate test results
6. Gap Analysis Evaluate Current vs. Desired State Make judgments; validate with mgmt.
7. Reporting Update Key Control Effectiveness (Control Owner Assertions)
Facilitate/gather assessment results
33
SummarySummary• Internal Audit can lead a Sarbanes-Oxley 404 project
• Documentation phase is no different than that required in an audit– IA’s objectivity is not impaired if they lead the documentation
efforts
• It is important to engage management to validate judgments and decisions– They must own the results, not IA
• Communicate consistently with your external auditors to ensure they understand how your objectivity has not been impaired
• It’s not an objectivity issue; it’s an ownership issue!