1 The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute...

transcript

The Road Ahead – Meeting the challenges in complying with The

Sarbanes-Oxley Act

The Road Ahead – Meeting the challenges in complying with The

Sarbanes-Oxley Act

The Institute of Internal Auditors

Webcast Series on Sarbanes-Oxley

Session #6 – September 30, 2003

The IIA Webcast ModeratorThe IIA Webcast Moderator

Jim Key, CIA

Managing Partner

Shenandoah Group, L.L.P

DisclaimerDisclaimer

The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.

Series 2: Emerging Trends and Best Practices in Implementing SOA

• May 21 - Section 404 Readiness Review: How to document your system of internal control. (Archived)

• June 10 - Helping your audit committee implement complaint handling. (Archived)

• July 8 - Leveraging the COSO framework to meet Section 404 requirements (Archived)

• August 12 - Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules” (Archived)

• September 9 - Internal Audit support of Audit Committees – What works best

• September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

Webcast Series on SOAWebcast Series on SOA

Fostering Compliance with SOA: Internal Auditor’s Role

• Four sessions archived on IIA’s website and available on CD

• Originally aired January 28 – April 15, 2003

IIA Online Training - New !IIA Online Training - New !

Conferences on Demand• IIA’s August’s ERM/CSA Conference 10 best sessions online for $199.

• Stay current and earn CPEs

• Visit http://www.theiia.org/iia/index.cfm?doc_id=4382 for a list of the segments and additional information.

• Or, contact rbrindley@theiia.org.

1:00 Introduction and Overview - Jim Key

1:05 Internal Control Strategy – Patricia Scipio

Fitting into the Bigger Picture – Kimberly Parker Gavaletz

COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel

1:55 Break

2:00 Questions & Answers – Panel

2:25 - 2:30 Concluding Remarks – Jim Key

AgendaAgenda

Internal Control Testing Strategy

Patricia Scipio, CIA, CPA Vice President, Auditing

Wellchoice, Inc.

Where is your company at in terms of 404 Readiness?Where is your company at in terms of 404 Readiness?

Choice Count %

Completed the scoping, planning and mobilization

51 46.4%

Completed controls documentation

18 16.4%

Completed the evaluation of the design effectiveness of controls

8 7.3%

Completed the testing of the operating effectiveness of controls

3 2.7%

Completed remediation of any identified design gaps

1 0.9%

Completed remediation of any identified operating controls ineffectiveness

2 1.8%

Other, please explain: 27 24.5%

When is your company planning to test the operating

effectiveness of key controls?

When is your company planning to test the operating

effectiveness of key controls?

Choice Count %

2003 and 2004 63 58.9%

Only in 2004 and why?

44 41.1%

Key Initial DecisionsKey Initial Decisions• What controls will be tested?

• How will each type of control be tested?

• When will each control be tested?

• How often should each control be tested?

• Who will perform the testing?

Testing Strategy Objectives

• Standardize a methodology for testing the operating effectiveness

• Develop proactive warning indicators to alert management of potential control failures

• Monitor key processes by continuous scanning for adverse developments

• Develop a turn key approach so business owners can easily perform testing as part of their routine

Financial Reporting Control ObjectivesFinancial Reporting Control Objectives

• Existence or Occurrence

• Completeness

• Rights and Obligations

• Valuation or Allocations

• Presentation and Disclosure

Basic ControlsBasic Controls• Accountability• Control Totals• Double Verification• Exception/Edit Reports• Holding Files • Independent Checks• Interface Controls• Key Performance

Indicators • Management Review

• Numerical Sequencing

• Periodic Reconciliation

• Pre-numbered Documents

• Proper Authorization

• Safeguard Assets

• Segregation of Duties

• System Configuration

• Transactions Recorded

Means of Achieving ControlMeans of Achieving Control

• Organization – structured roles

• Policies – principles and guidelines

• Procedures – methods employed

• Personnel – qualifications to perform the job

• Accounting – financial control

• Budgeting – expected results

• Reporting – timely, accurate and meaningful

Controls by Function or TypeControls by Function or Type

• Directive Controls

• Preventive Controls

• Detective Controls

• Corrective Controls

• Manual vs Automated Controls

• Hard vs Soft Controls

Testing ProceduresTesting Procedures

• Inquiry

• Observation

• Inspection of Physical Evidence

• Re-performance

Factors in Designing Testing Strategy

• Nature of control & significance in achieving objective

• One control supporting more than one objective

• Significant changes in volume or nature of transactions

• Changes in the design of the control• Degree to which control relies on

effectiveness of other controls

Factors in Designing Testing Strategy (continued)

• Complexity of the Control• Manual vs. Automated Control• Existence of Self-assessment Programs• Entity wide Control• Frequency of Control• Timing of Test of Controls• Changes in key personnel who perform

or monitor the control

SummarySummary

• Several factors must be considered in determining the nature, timing and extent of testing

• Management should monitor the quality and performance of the system of internal control over time

• To the extent possible, internal controls should be structured to be self-monitoring and self-correcting

1:55 Break

AgendaAgenda

Fitting Into the Bigger Picture

Kimberly Gavaletz

VP, Internal Audit

Lockheed Martin Corporation

ComponentsComponents

• Framework

• Quality

• Keeping It Fresh

Internal Audit’s Obligation & Opportunity

FrameworkFrameworkII. Discussion of Amendments Implementing Section 404

1.B.3 Final Rules …a company’s annual report to include and internal control report of management that contains…• A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting;

1.B.3.A Evaluation of Internal Control over Financial Reporting• …Management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria and may be used as an evaluation framework…However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute…

June 5, 2003

SEC Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports

COSO COSO

Big Picture Embodied in the Framework Big Picture Embodied in the Framework

Other Frameworks: Guidance on Assessing Control, Turnbull Report, “Future Developments”

Control Environment Foundation – Discipline & Structure

Risk Assessment Identification & Analysis of Risks to Pre-determined Objectives

Control Activity Policies/Procedures/Practices that Ensure Objectives are Achieved and Risk Mitigation Strategies are Carried Out

Information & Communication

Communication of Control Responsibilities to Employees in Form & Timeframe to Execute

Monitoring Oversight of Internal Controls (Outside and Inside the Process)

Objectives

Controls

Monitoring

Key: Management OwnershipKey: Management Ownership

Management Owns

Internal Audit Performs

Independent Assessments/

Audits

Framework: OwnershipFramework: Ownership

Framework: ScopeFramework: Scope

Big Picture

Business Objectives

- Financial

- Technical Delivery

- Compliance

Performance with Integrity

Today’s Emphasis

Disclosure Controls-302

Internal Controls-404

Integrity of Financial

Reporting

Today’s Emphasis

Disclosure Controls-302

Internal Controls-404

Integrity of Financial

Reporting

QualityQuality• Who Decides

Quality of Controls?

• Who Decides Level of Consistency Needed?

Roles Drivers

-Management

-Internal Audit

-External Audit

-Rules

-Guidelines

Balance of Controls

ReactiveProactivePreventive

Quality: Internal Audit Quality: Internal Audit • Start: Serve as a Facilitator/Partner across

Management and External Auditors– Start the Dialog– Determine the Roles

• Options/Steps: – Independently Assess Existing Quality

Assurance Structure – Advise Management on the Need and Scope of

a Quality Assurance System – If Necessary, “Gap Fill” as the Quality

Assurance Function

Keeping It FreshKeeping It Fresh•Keep it Fresh

Continuous ImprovementOngoing InvolvementUtilize Evolving Technology

System of Internal Controls

Management

Advise

Assess& Opine

Internal

Audit External

Attest

SummarySummary• Focus on the Big Picture

Framework-Scope-Ownership

• Focus on QualityOwnershipDetection & Prevention

• Keep it FreshContinuous Improvement-Involvement

1:55 Break

AgendaAgenda

COSO’s ERM Framework:The Shape of Things to

Paul J. SobelVice President, Internal Audit

Mirant Corporation

The New COSO Cube

Monitoring

Information and Communication

Control Activities

Risk Response

Risk Assessment

Event Identification

Objective Setting

Internal Environment

STRATEGIC

OPERATIONS

REPORTIN

Internal Environment

•Today- An Integral Part of Sarbanes-Oxley 404

–Integrity and ethical values

–Control consciousness and operating style

–Commitment to competence

–Board/Audit Committee participation in governance

•Tomorrow - Embracing Risk

–Risk management philosophy

–Risk culture

–Risk appetite Internal Environment

Objective Setting•Today - Financial Statement Assertions

–Access to assets

–Authorization

–Completeness and accuracy

–Existence and occurrence

–Presentation, classification and disclosure

–Rights and obligations

–Valuation or allocation

•Tomorrow - Business Objectives–Beyond financial objectives

–Formalized risk tolerance levels

Objective Setting

Event Identification•Today - An Ad Hoc Part of Risk Assessment

–Generic risk universes

–Standard risks and definitions

–Few scenarios considered

•Tomorrow - Formal Identification and Analysis–Answer the questions “What can go wrong?” and “What needs to go right?”

–Understand events/scenarios (worse case, most likely, etc.)

–Consider interdependencies (domino effect)1000

Risk Assessment•Today - Becoming common, but somewhat Superficial

–Tends to be pretty broad

–May only be done in silos

–Minimal support for judgments

–One-time event

•Tomorrow - A Robust, Ongoing Activity

–Integrated with strategic planning

–Inherent and residual risk considered

–Enterprise-wideRisk Assessment

Risk Response•Today - Individual Judgments

–Based on past experience and instinct

–Typically focuses on a single response

–Little consideration to portfolio effect

•Tomorrow - Portfolio Approach

–Identify and evaluate range of possible responses

–Consider enterprise-wide responses

–A formal process

Risk Response

Control Activities•Today - Ensuring Adequate Control

–General and application/specific controls

–Preventative and detective controls

–Automated and manual controls

–Routine and non-routine controls

•Tomorrow - Ensuring Objective Achievement

–Integrated with risk response

–Focuses on strategic, operational, financial and compliance objectives

Control Activities

Information & Communication and Monitoring

•Today - Financial Reporting and Compliance

–Supports financial judgments

–Blend of internal and external information

–Multi-directional communications

–Monitor degree of success

•Tomorrow - Strategic and Operations

–All of the above for all objectives

–Integrated monitoring system

Monitoring

• Transition to a Risk Management-Based Internal Audit Approach–Internal Environment - Expand focus to include risk philosophy, risk culture and risk appetite

–Objective Setting - Obtain understanding of objectives; determine risk tolerance levels

–Event Identification - Imbed in annual and process level risk assessments–Risk Assessment - Lead or facilitate a robust, ongoing, enterprise-wide process

What Does it Mean for Internal Auditors?

• Transition to a Risk Management-Based Internal Audit Approach (continued)–Risk Response - Facilitate identification of possible responses; bring process orientation

–Control Activities - Link controls back to objectives;ensure integration with risk response

–Information and Communication - Evaluate as a part of every audit (make a separate risk)

–Monitoring - Recommend ways to enhance in every process

What Does it Mean for Internal Auditors?

• 1992 - Groundwork laid, but not focused for most companies

• 2002 - Sarbanes-Oxley brought internal control to the forefront

• 2004+ - True ERM begins to take shape

Summary - The COSO Evolution

ControlActivities

Monitoring

Control Activities

Risk Response

Risk Assessment

Objective Setting

Internal EnvironmentSTRATEGIC

OPERATIONS

REPORTIN

I DI A

1:55 Break

AgendaAgenda

1:55 Break

AgendaAgenda

1:55 Break

AgendaAgenda

Webcast SummaryWebcast Summary

• It is essential to be intentional about planning your testing strategy

• Focusing on quality and continuous improvement will leverage your control framework for better results

• COSO ERM framework provides an opportunity for Internal Audit to help organizations meet strategic goals

Future WebcastsFuture Webcasts

• Webcast Steering Committee

• Survey - Input

Thank you for your participation!

Your Comments/Feedback are very important – please complete the evaluation form and redeem a discount on an Online Training product.

Email agoodman@theiia.org for more details!