Presentation to San Jose State University

Presentation to San Jose State University

December 7, 2006

Presenters

Jerry Meyers, TR Senior Manager

[email protected]

Jagdish Pandey, TR Assoc. Director

[email protected]

Dina Talerico, IA Senior Manager

[email protected]

Objectives

• Who is Protiviti?• What We Do – Risk Consulting Defined• Our Vision, Mission and Core Values• Our Accomplishments• Our Locations, Our Clients• Behind the Enron Scandal• The Protiviti Story

• The Financial Statement Risk Assessment Process

• Sarbanes-Oxley Overview• Our Approach/Methodology• FS Prioritization Process

• Questions and Wrap-Up

Who is Protiviti?

Who is Protiviti?

Protiviti is a leading provider of independent risk consulting and internal audit services.

What We Do - Risk Consulting Defined

The discipline of:• Identifying, sourcing and measuring risk

• Formulating risk management strategies

• Designing and implementing capabilities for avoiding, retaining, reducing, transferring and exploiting risk

• Monitoring risk within acceptable tolerance levels

In Other Words…

We help clients understand their risks and how they can turn them into a competitive advantage.

Protiviti’s Vision and Mission

• VisionTo be recognized as the Premier Global Risk Consulting and Internal Audit Service Company.

• MissionTo constantly improve how businesses manage risk. We will develop deep competencies in people which enhance their value. We will bring unparalleled expertise to clients in risk management.

Protiviti Embodies Our Core Values

professionalism

productiviti

proactiviti

objectiviti

creativiti

integriti

… Experienced Professionals with Proven Processes, Methodologies and Tools

… Focused on Risk Consulting

… A Driven Organization

… Independent

… Financially Strong

… A Strategic Advantage to Meet Your Resource Needs

… “Passionate About our Clients”

Protiviti core values: We are:

quality

Why Protiviti?Protiviti fills a unique and valuable position in the market, as depicted below. Protiviti brings a unique blend of knowledge and experience to the table which combines the focus, dedication and independence of a boutique firm, with the methodologies & tools, global presence, and deep skill sets of the Big 4.

Boutique:• Responsive client service• Lack of SEC restrictions• Independent from attest &

tax services• Better teaming with

external auditors• Focus on core offerings• Fee flexibility

Big Four:• Methodologies & tools• Experienced professionals• Depth of risk consulting

services• Financial & management

stability• Recognized• Global presence

Protiviti combines the strengths

of the large consulting

companies and independent

alternatives…without

compromise

Accomplishments• Growth in the number of Protiviti employees and

locations• Recent quarterly earnings• Implementation of a company Intranet, iShare,

with cutting-edge knowledge management solution

• Recognized as a thought leader through our SOA and Internal Audit FAQs

• National alliances and partnerships• Continued training development initiatives

Protiviti employs over 2200 professionals in more than 50 locations in North America, Latin America, Europe, Asia and Australia.

Protiviti Locations

*All logos used with client permission

Our client experience includes organizations across all major industries from global Fortune 500 corporations to small, privately-held, local institutions.*

Protiviti Clients

http://images.google.com/imgres?imgurl=http://www.riteaid.hospitalityjobs.hcareers.com/public/profile/riteaid/logo.gif&imgrefurl=http://www.riteaid.hospitalityjobs.hcareers.com/&h=128&w=148&sz=3&tbnid=d6ZKYtwJw0EJ:&tbnh=77&tbnw=89&start=14&prev=/images%3Fq%3Drite%2Baid%2Blogo%2B%26hl%3Den%26lr%3D

http://images.google.com/imgres?imgurl=http://www.phonedebbie.com/qwest_logo.jpg&imgrefurl=http://www.phonedebbie.com/&h=141&w=176&sz=11&tbnid=eVfppsh6Aj8J:&tbnh=76&tbnw=95&start=1&prev=/images%3Fq%3Dqwest%2Blogo%2B%26hl%3Den%26lr%3D

Our Practice

Our product offerings offer a breadth of internal audit and business and technology risk solutions.

Business Risk Technology Risk Internal Audit

• Application Effeteness Solutions

• Change Management Solutions

• Continuity Solutions

• Identity management

• IT Asset Management Solutions

• Program Management Solutions

• Security and Privacy Solutions

• Audit Committee Advisory

• IA Technology/Tool

Implementation

• Internal Audit Co-Sourcing

• Internal Audit Full Outsourcing

• Internal Audit QA Review

• Internal Audit Transformation

• IT Audit Services – Start up

and Development Advice

• Corporate Governance

• Event Response

• Financial Risk

• Operational Risk

Partial Outsourcing

Full In-House

Limited Consulting/

Ad Hoc Projects

Strategic Sourcing

Specialized Skills

Arrangement

Co-Sourcing

Full Outsourcing

Single Audit Director Model

Recurring Co-Sourcing

Strategic Partnering

An outsourcing provider should have the flexibility to tailor the delivery options to meet the needs of your organization in the short-term and long term. Some common outsourcing options are listed below.

• Ad hoc consulting work and execution of internal audit projects on an “as needed” basis.

• Examples: transformation/benchmarking, facilitation, IA training, quality assurance reviews, selected internal audits, loan of personnel.

• Internal Audit leverages specialized skills/knowledge from outsource provider for specific projects.

• Examples: IT, Fraud, International, Self Assessment.

• Internal Audit partners with outsource partner to manage and execute the IA function, sharing all knowledge, proprietary tools, methodologies, and training, as well as providing substantial amount of resources on a recurring, long-term basis.

• Internal Audit department teams with outsource partner for resources on regular, ongoing basis, generally spanning multiple years.

• Internal Audit Director manages internal audit function and reports to CFO and Audit Committee.

• Director is responsible for implementing the internal audit plan using outsource partner resources to execute.

Internal Audit

Business Risk

Corporate Governance • Enterprise Risk Management • Sarbanes-Oxley • Self-Assessment • J-SOX

Financial Risk • Basel II Services • Credit Risk • Trading & Commodities Risk • Treasury Risk

Risk Technology Solutions (RTS) • Discoveri • Dynamic Policy • Protiviti's Governance Portal • Resolver Suite Event Response • Fraud Risk Management • Financial Investigations • Litigation Consulting

Operations Risk • Capital Projects & Construction Risk • Finance Process Effectiveness • Financial Reporting Risk Services • Regulatory Risk Consulting • Revenue Risk Services • Spend Risk Solutions • Supply Chain Risk Management

Technology Risk

Behind the Enron Scandal

• In March 2002, the US Justice Department indicted Arthur Andersen for obstruction of justice. Within 2 weeks, many of Andersen’s Fortune 100 Clients had announced going with another firm.

• Protiviti launched in May, 2002 with approximately 700 ex-Arthur Andersen employees that had just lost their jobs as a result of the Enron scandal

• In June 2002, jurors convicted Andersen for obstructing justice by destroying Enron Corp related documents

• The conviction forced Andersen out of business, as the remaining 28,000 employees (two thirds of their workforce) were forced to lose their jobs and the firm was suspended from practicing audit

• Three years later the Supreme Court overturned the ruling saying Andersen was convicted without proof that its shredding of documents was deliberately intended to undermine the SEC’s investigation of Enron

The Protiviti Story• Protiviti’s launch in 2002 with only 700 employees was the result of

an employment agreement between Robert Half International (“RHI”) and Arthur Andersen

• Protiviti was formed as a wholly-owned subsidiary of RHI (a $3.3 billion dollar public company specializing in staffing) and today employs more than 2,200 professionals in more than 50 offices in the Americas, Asia-Pacific and Europe

• Protiviti and the RHI divisions refer each other to clients for new business

• RHI staffs the appropriate contractors to augment Protiviti engagement teams

• RHI and Protiviti use the same shared services for Accounting, IT, Operations, etc.

QUESTIONS?

The Financial Statement Risk Assessment Process

23© 2006 Protiviti Inc. Confidential: This document is for your company’s internal use only and may not be distributed to any other third party.

Sarbanes-Oxley Overview

Section 301: Publicly traded companies are required to establish a procedure for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters.

Section 302: Management must evaluate the design and operational effectiveness of its disclosure controls and procedures quarterly (disclosure controls include internal controls).

Section 404: Management is required to file an internal control report with their annual report, stating –

Management’s responsibilities to establish and maintain adequate internal controls and procedures for financial reporting

Management’s conclusion on the effectiveness of these internal controls at year end

That the company’s public accountant has attested to and reported on management’s evaluation of internal controls over financial reporting

Section 906: Expressly imposes criminal penalties if the information contained in the periodic report does not fairly represent, in all material respects, the financial condition and results of the operations of the issuer.


Components of Internal

Control Reporting

Process Management (SarbOx PortalTM)Process Management (SarbOx PortalTM)

Assessment Management (The Self AssessorTM)Assessment Management (The Self AssessorTM)

Knowledge ManagementKnowledge Management

PHASE I PHASE II PHASE III PHASE IV

Financial Reporting Requirements

Financial Reporting Requirements

Relevant ProcessesRelevant Processes

Internal ControlReport

Internal ControlReport

Process RisksProcess Risks

Control DesignControl Design Control ImprovementsControl Improvements

Control OperationControl Operation

Entity-Level Controls

Entity-Level Controls

Assess Current State and Identify

Relevant Processes

Assess Current State and Identify

Relevant Processes

Set Foundation

Set Foundation

Project Management Knowledge Sharing Communication Continuous Improvement

Document Design and Evaluate

Critical Processes and Controls

Document Design and Evaluate

Critical Processes and Controls

Design Solutions for Control Gaps

Design Solutions for Control Gaps

Implement Solutions for Control Gaps

Implement Solutions for Control Gaps

ReportReportProtiviti’sApproach

Our Approach/Methodology

SarbanesDiagnosticsSarbanes

Diagnostics

Tools &Technology

IT ControlsIT Controls

IT Organization

and Structure

IT Organization

and Structure

IT Entity-Level Control Evaluations

IT Entity-Level Control Evaluations

IT Process Level Control Evaluations

IT Process Level Control Evaluations

IT Control Considerations


Our Approach: Detailed Project Steps

• Organize project

Develop project plan

• Agree on approach/reporting requirements

Set Foundation

Perform entity-level controls assessment

Select financial statement elements, processes and locations

Documentation standards – level of depth, assertions and control objectives

Inventory existing control documentation

Testing approach

PHASE I: Assess Current State and Identify Relevant Processes

• Document processes

• Source risks (what can go wrong?)

• Document controls

• Assess design

• Validate operation

PHASE II: Document Design and Evaluate Critical Processes and

Controls

Evaluate nature of identified deficiencies

• Decide deficiencies requiring correction

• Design and document improvements

PHASE III: Design Solutions for Control Gaps

• Build improvements

• Roll out improvements

• Test improvements

• Update policies and procedures

• Provide training

• Measure performance

Formulate conclusions with respect to internal controls over reliability of financial reporting

• Provide results and documentation to external audit for attestation process

• Conclude attestation process

• Write internal controls report

ReportPHASE IV: Implement Solutions for

Control Gaps


FS Prioritization Process: Selecting Financial Reporting Elements

Factors to consider in determining key financial reporting elements:

• Materiality of financial statement items

• Degree of volatility of the recorded amount over time

• Degree of subjectivity used in determining account balance

• Susceptibility to error or omission as well as loss or fraud

• Complexity of calculation

Additional factors to consider might include the following:

• Velocity of account - the speed of transactions through the account

• Nature and types of errors and omissions that could occur, i.e., “what can go wrong”

• Volume, size, complexity and homogeneity of the individual transactions processed through a given account or group of accounts

• Disclosures / footnotes in financial statements

• Prior year external auditor management letter comments

MaterialityDegree of volatility of

recorded amount

Subjectivity in determining account

balance Susceptibility to

loss or fraud Complexity of calculation

OVERALL RATING

Balance Sheet

Assets Cash & Cash Equivalents

Cash low medium low medium low low

Temporary Cash Investments low medium low medium low low

Accounts Receivable

Receivables-Gross high medium low medium low high

Allowance for Doubtful Accounts low medium high low high high

Receivables-Value Added Tax (VAT) low medium low low low low

Receivables-Other (A/R vs A/P NTrade) low medium low high low medium

Receivables-Employee low medium low high low medium


FS Prioritization Process: Linking Accounts to Processes

Business Cycles Equity Taxes IT

OVERALL FS

RATING M

anag

ing

Cas

h an

d

Inve

stm

ents

Bor

row

ings

Ord

er M

anag

emen

t

A/R

Cre

dit

and

Col

lect

ions

Bad

Deb

t A

llow

ance

Shi

ppin

g an

d B

illin

g

Rev

enue

Res

erve

s

Inve

ntor

y C

ostin

g an

d C

ost

of

Goo

ds S

old

Inve

ntor

y R

eser

ves

Inve

ntor

y M

anag

emen

t

Pur

chas

ing

Acc

ount

s P

ayab

le a

nd C

ash

Dis

burs

emen

ts

Ass

et M

anag

emen

t

Am

ortiz

e P

repa

ids

and

Inta

ngib

les

Man

age

Tra

vel a

nd E

nter

tain

men

t

Exp

ense

s

Em

ploy

ee M

aste

r F

ile M

aint

enan

ce

Pay

roll/

Em

p. B

enef

its L

iab.

Ince

ntiv

e C

ompe

nsat

ion

Sto

ck C

omp

and

Adm

inis

trat

ion

Inco

me

Tax

Pro

visi

on &

Com

plia

nce

Clo

se t

he B

ooks

Fin

anci

al S

tate

men

t

Dis

clos

ure

Bud

getin

g/F

orec

astin

g/M

gt

Rep

ortin

g

IT -

Gen

eral

Con

trol

s

OVERALL PROCESS RATING H L H H L M M M M M M M M L H M M M M L H M M HAssetsCurrent Assets:

Cash & cash equivalents HIGH H H H H HAvailable for sale investments MEDIUM M M M M MAccounts Receivable, net

Accounts Receivable HIGH H H H H H H HAllowance for Doubtful Account LOW L L L L LAllowance for Sales Returns MEDIUM M M M M MAllow. for Cash Disc. Taken MEDIUM M M M M MAllowance for Rebates MEDIUM M M M M MAllowance for Price Discounts MEDIUM M M M M M

InventoriesRaw materials MEDIUM M M M M M M MWIP MEDIUM M M M M M MFinished goods HIGH H H H H H HInventory variances LOW L L L L LLabor & OH capitalized LOW L L L L LInventory reserves MEDIUM M M M M M

Prepaid expenses and other current assetsPrepaid expenses LOW L L L L LAR LOW L L L L LAccrued Interest Receivable LOW L L L L LOther LOW L L L L L

Available for sale investments (non-current)MEDIUM M M M M MProperty and equipment, net MEDIUM M M M M MOther assets

Deposits LOW L L L L LLicenses LOW L L L L LOther LOW L L L L L

Treasury Payroll Financial ReportingRevenue Conversion Expenditure


Processes

Revenue Processes:• Order Management• Shipping and Billing• Accounts Receivables and Collections• Allowances• Revenue Reserves

Expenditure Processes:• Purchasing• AP & Cash Disbursement• Asset Management• Amortize Prepaid and Intangible Assets• Manage Travel and Entertainment

Conversion Processes:• Inventory Costing & COGS• Inventory Reserves• Inventory Management

Financial Reporting:• Close Process and Consolidation• Financial Statement Reporting and Disclosure• Budgeting, Forecasting and Management Reporting

HR and Payroll:• Employee Master File Maintenance• Payroll and employee benefit liabilities• Incentive Compensation

Treasury:• Managing Cash and Investments• Borrowings

Equity:• Stock Compensation and Administration

Taxes• Income Tax Provisions and Compliance

Information Technology• IT General Controls

Sig

nif

ican

ce

Lo

wH

igh

Low

Inventory Costing & Cost of Sales

Risk High

AR& Collections

Borrowings

Amortize Prepaid & Intangible Assets

Stock Compensation & Administration

Managing Cash and Investments

Shipping andBilling

Manage Travel & Entertainment

Expenses

Payroll&Employee Benefit

Liabilities

RevenueReserves

AP& Cash Disbursements

Tax Compliance

AssetManagement

IT

Order Management

Bad DebtAllowances

Inventory Reserves

Inventory Management

Purchasing

EmployeeMaster File

Maintenance

IncentiveCompensation

Close Process & Consolidation

Budgeting

Financial Statement Reporting &Disclosures

FS Prioritization Process: Risk Map

The Financial Statement Risk Assessment Process“Technology Coverage”


Our Approach: Linkage to IT

DocumentProcesses

SourceRisks

DocumentControls

AssessDesign

Report

Select PriorityElements

ValidateOperation

• Select the priority accounts and disclosures• Consider significance to financial reporting and risk of misstatement

• Document the transaction flows that materially impact the priority financial elements

• Use financial reporting assertions to source “what can go wrong” within the processes

• Document entity controls (“tone at the top”)• Document the controls at the source of the risk (preventive) or

downstream in the process (detective)

• Assess effectiveness of controls design at entity and process levels

• Conclude• Communicate• Report

• What are the controls?• Who owns the controls?

• What are the risks?

• How is the controls design rated?

• How are the controls performing?

The IT work builds on these

steps


Our Approach: Linkage to IT

IT General Controls

• Program development• Program changes

• Program operations• Access control

• Control environment

IT General Controls




Application Controls•Accuracy

•Completeness• Validity

• Authorization• Segregation of duties

• etc...




• etc...

Business Processes / Classes of TransactionsBusiness Processes / Classes of Transactions

Process AProcess A Process BProcess B Process CProcess C

Financial ApplicationsFinancial ApplicationsApplication AApplication A Application BApplication B

IT Infrastructure ServicesIT Infrastructure Services

NetworkNetwork

Operating SystemOperating System

DatabaseDatabase

Application BApplication B

Significant Accounts in Financial StatementsSignificant Accounts in the Financial StatementsBalance

SheetBalance

SheetIncomeIncome

Statement SCFPSCFP NotesNotes OtherOther

Source: IT Governance Institute – IT Control Objectives for Sarbanes-Oxley, April 2004


Our Approach: ITGC Scope

ObjectivesDevelopment (SDLC) and Change Management• Acquire or Develop Application Software• Acquire Technology Infrastructure• Install and Test Application Software and

Technology Infrastructure• Manage Changes

Access and Security• Ensure Systems Security (Physical, Network,

Operating System, Database and Application

levels)

Manage the Configuration Operations• Manage Problems and Incidents• Manage Data• Manage Operations• Define and Manage Service Levels• Manage Third-party Services


Our Approach: ITGC Scope

Applications


Application Controls

IT General Controls




IT General Controls







• etc...




• etc...

Business Processes / Classes of TransactionsBusiness Processes / Classes of Transactions

Process AProcess A Process BProcess B Process CProcess C

Financial ApplicationsFinancial ApplicationsApplication AApplication A Application BApplication B

IT Infrastructure ServicesIT Infrastructure Services

NetworkNetwork

Operating SystemOperating System

DatabaseDatabase

Application BApplication B

Significant Accounts in Financial StatementsSignificant Accounts in the Financial StatementsBalance

SheetBalance

SheetIncomeIncome

Statement SCFPSCFP NotesNotes OtherOther

Source: IT Governance Institute – IT Control Objectives for Sarbanes-Oxley, April 2004

QUESTIONS?

Presentation to San Jose State University

Documents

Transcript of Presentation to San Jose State University