44
1 Leveraging the COSO Framework to Meet Section 404 Requirements The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act July 8, 2003 1:00 – 2:30 pm Eastern Time
1
Leveraging the COSO Framework to Meet
Section 404 Requirements
Leveraging the COSO Framework to Meet
Section 404 Requirements
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley Act
July 8, 2003
1:00 – 2:30 pm Eastern Time
2
The IIA Webcast ModeratorThe IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P
3
DisclaimerDisclaimer
The views expressed in this web cast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees, and members.
4
The Webcast Series on the Sarbanes-Oxley Act
The Webcast Series on the Sarbanes-Oxley Act
Series 1: Fostering Compliance with SOA:
Internal Auditor’s Role
– Four sessions archived on website and available on CD
– To purchase contact Alex at [email protected]
5
Series 2: Emerging Trends and Best Practices in Implementing SOA
Series 2: Emerging Trends and Best Practices in Implementing SOA
• May 21 - Section 404 Readiness Review: How to document your system of internal control. (Archived)
• June 10 - Helping your audit committee implement complaint handling. (Archived)
• July 8 - Leveraging the COSO framework to meet Section 404 requirements
• August 12 - Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules”
• September 9 - Internal Audit support of Audit Committees – What works best
• September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act
6
Sarbanes-Oxley: Implications and Impact for
Internal Audit
Sarbanes-Oxley: Implications and Impact for
Internal Audit• Seminar Offering: 2.5 Days
Chicago, July 30 Seattle, August 4 West Palm Beach, August 25 Phoenix, September 10 San Francisco, September 24 Orlando, December 10 New York, December 17
7
Other ResourcesOther Resources
• IIA Web Page www.theiia.org – Click on Guidance– Click on Tools and Resources for Corporate
Governance IIA Position Papers Responses to exposure drafts IIA Research Foundation Master Key Series The Sarbanes-Oxley legislation Stock listing exchanges key requirements
8
Management Assessment of Internal Controls (404)
Management Assessment of Internal Controls (404)
• Requires the SEC to prescribe rules to:– State the responsibility of management for
establishing and maintaining adequate internal control structure and procedures for financial reporting, and
– Contain an assessment of effectiveness of the internal control structure and procedures for financial reporting
9
SEC Final RulesSEC Final Rules
• Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports
• Release Date: June 5, 2003 (33-8238)• Effective Date: August 14, 2003• Evaluation of Internal Control over Financial
Reporting within the context of COSO framework
10
AgendaAgenda
1:00 Welcome and Overview
1:10 Soft Controls – Bruce Adamec
1:20 Control Activities – Ray Lukas
1:30 Monitoring – Andrew Bellenkes
1:40 Break
1:45 Questions and Answers – Panel
2:25 Wrap up – Jim Key
11
Soft ControlsSoft Controls
Bruce Adamec, CPA, CIA
Vice President and General Auditor
United Stationers Inc.
12
• Control Environment
• Risk Assessment
• Information & Communication
Soft ControlsSoft Controls
13
The Goal is Reliable Financial Results and Safeguarding Assets –
Are “Soft” Components Important?
The Goal is Reliable Financial Results and Safeguarding Assets –
Are “Soft” Components Important?
• Commissioner Paul S. Atkins, SEC,
Rocky Mountain Securities Conference: Denver, Colorado, May 30, 2003
“A long standing risk management principle is the importance of corporate culture and “tone from the top”. A CEO’s tolerance, or lack of tolerance of ethical misdeeds and a CEO’s philosophy of business conveys a great deal throughout the organization. The role of directors is to monitor and oversee that situation on behalf of stockholders.“
14
• Commissioner Cynthia Glassman, SEC,
Federal Reserve Bank of Chicago May 9, 2003
“I can’t walk away from any discussion of corporate governance without stressing that the most important aspect of reform comes from market participants working proactively to foster an ethical culture in business.”
The Goal is Reliable Financial Results and Safeguarding Assets –
Are “Soft” Components Important?
The Goal is Reliable Financial Results and Safeguarding Assets –
Are “Soft” Components Important?
15
Why We Should Care About Soft Controls – Even Without Sarbanes
Oxley!
Why We Should Care About Soft Controls – Even Without Sarbanes
Oxley!
• Howard Shilit, Smart Money, July 2003,
“Bad people, in business model with a nice story, will somehow find a way to destroy the business…But with honest people running the company…they’ll be able to navigate through the tough times and the company won’t blow it.”
16
404 Evaluation404 Evaluation
• Clear Understanding of Soft Components
• Infrastructure Evaluation – “Hard” Activities for “Soft” Components
• Evaluation of How Well The Soft Components Are Working to Ensure Financial Statement Reliability, Safeguarding Assets
17
What Do COSO Components Mean?
What Do COSO Components Mean?
• Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture
• Risk Assessment – How Organization Routinely
ID’s and Manages Risks – Goals and Obstacles• Information and Communication –
Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates’, Investor, and Board of Director’s (Governance) Needs
18
Infrastructure Evaluation“Hard Activities For Soft Components”Infrastructure Evaluation
“Hard Activities For Soft Components”
• Management Culture – Code of Ethics, Human
Resources Practices • Goals and Obstacles – Objectives, Financial
Planning and Analysis, Hard-Coded Response Systems (Law, Finance, HR Department)
• Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies
19
What Do COSO Components Mean?
What Do COSO Components Mean?
• Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture
• Risk Assessment – How Organization Routinely
ID’s and Manages Risks – Goals and Obstacles• Information and Communication –
Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates
20
Infrastructure Evaluation“Hard Activities For Soft Components”Infrastructure Evaluation
“Hard Activities For Soft Components”
• Management Culture – Code of Ethics, Human
Resources Practices • Goals and Obstacles – Objectives, Financial
Planning and Analysis, Hard-Coded Response Systems (Law, Finance, HR Department)
• Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies
21
Evaluation of How Well the “Soft” Components Are
Working
Evaluation of How Well the “Soft” Components Are
Working
Possible Methods -
• Internal Control Questionnaires
• Control Self Assessments
• Survey Employees, Management Assesses Survey Results
22
ControlControl
Intern
al
Intern
al System
SystemSurveysSurveys
Action PlansAction Plans
Knowledgeable Knowledgeable Fact-based Fact-based AssertionsAssertions
ControlControlSelfSelfAssessmentsAssessments InterviewsInterviews
CompleteCompleteContinuousContinuousMonitoringMonitoring
DirectorsDirectorsBoar
dBoar
dofofAwarenessAwareness
404 404 CertificationsCertifications IdentificationIdentification
Company-wideCompany-wide FrameworkFramework
23
More Information on Survey Method
More Information on Survey Method
• “Internal Reflections”, The Internal Auditor, December 2002, Pp. 56-63
• “Internal Audit’s Role in Corporate Governance: Sarbanes Oxley Compliance”, IIA Website (IIARF Master Key)– ALLTel Control and Risk Assessment
– El Paso Internal Control Assessment Survey
24
Control ActivitiesControl Activities
Ray Lukas, CPA
Director , Global Risk Management Solutions
PricewaterhouseCoopers
25
Control ActivitiesControl Activities
Control Activities
•Policies and procedures that ensure management directives are carried out.
•Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
26
Integration With Risk AssessmentIntegration With Risk Assessment
• Along with assessing risks, management should identify the actions needed to address identified risks.
• These actions serve to focus attention on the control activities needed to ensure that such actions are appropriately carried out in a timely manner
27
Integration With Risk AssessmentIntegration With Risk Assessment
• Control activities are the means by which an enterprise strives to achieve its stated business objectives
– Control activities serve as the primary mechanism used by management to monitor performance to achieve business objectives, and
– Control activities are more effective when built directly into the management process
28
Types of Control ActivitiesTypes of Control Activities
• Numerous types of control activities, including:– Preventative controls
– Detective controls
– Manual controls
– Computer controls, and
– Management controls
• Control activities usually involve two distinct elements:– Policy that establishes “what should be done”, and
– Procedures that entail specific actions to be taken to comply with the policy
Essential element of control activities/procedures performed is that issues identified as a result of such procedures be investigated and appropriate corrective actions taken
29
Types of Control ActivitiesTypes of Control Activities
• Control Activities are performed by personnel at various levels in the organization– Top Level Review – Actual performance to budget
and forecast– Direct Functional or Activity Management – daily,
weekly an/or monthly review of performance by direct reports (supervisors & managers)
– Information Processing – controls designed to check accuracy, completeness and authorization of transactions
30
Types of Control ActivitiesTypes of Control Activities
• Control Activities are performed by personnel at various levels in the organization (continued)– Physical Controls – Physical security and periodic
counting of hard assets (Cash, Inventory, equipment, etc.)
– Performance Indicators – Analytical reviews, where differences are investigated and corrective actions taken, and
– Segregation of Duties – Incompatible duties are separated among different people to reduce risk of error or inappropriate actions
31
Application to Sarbanes 404Application to Sarbanes 404
Level 1 – Unreliable• Unpredictable environment where control activities are not designed or in place
Level 2 – Informal• Disclosure Activities and Controls are designed and in place but are not adequately documented• Controls mostly dependent on people• No formal training or communication of control activities
Level 3 – Standardized• Control activities are designed and in place• Control activities have been documented and communicated to employees• Deviations from control activities will likely not be detected
Level 4 – Monitored• Standardized controls with periodic testing for effective design and operation with reporting to management• Automation and tools may be used in a limited way to support control activities
Level 5 – Optimized• An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise Wide Risk
Management)• Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed
Optimized
- Integrated internal controls with real time monitoring by management and continuous improvement
Monitored
- Standardized controls with periodic testing for effective design and operation with reporting to management
Standardized
- Control activities are designed, in place and are adequately documented
Informal- Control activities
are designed and in place but are not adequately documented
Unreliable- Unpredictable
environment where control activities are not designed or in place
Management 404 Internal Control Assertion
32
Application to Sarbanes 404Application to Sarbanes 404
Accuracy of Input: All errors in data are detected when recorded, accepted by the system, or converted to system-readable format.
What ensures that the fee and amount of the services provided are correct?
What ensures that the invoice represents the actual services provided?
Control Noted
There is a programmed procedure that will only allow to invoice a customer for the services described on the bill. An invoice will not be generated for that appointment until the services on the bill agree to the service on the schedule logging system.
Through a programmed procedure, invoices are priced using the contract assigned to that customer or the default price assigned to that customer in the customer contract pricing database. However, anyone that can manually enter a service provider can manually enter a different fee, thus overriding the contracted fee arrangement.
There is a programmed procedure that will only allow to invoice a customer for the services on the bill. However, there is no control to ensure that all services provided were logged on to the service invoice.
Y
N
N
Every night there is a manual reconciliation of the number of Service Appointments that day to the number of appointments invoiced. This is part of the balancing procedures performed by the data center over nightly batch jobs. Approximately 70% of these invoices are transmitted to the customers electronically via EDI. A manual reconciliation is done to check that all invoices sent to EDI were received by EDI. EDI customers must acknowledge that they have received invoices. If customer acknowledgements are not received, the analysts follow up with the customers. The remaining 30% of the invoices are sent through regular mail.
YCompleteness of Input: All appropriate data are entered into the system and accepted for processing. Data rejected by the system are reported, investigated, corrected and re-entered.
What ensures that a service invoice is generated for service provided?
What ensures that a services provided cannot be invoiced twice?
Control Objective Control? Control Activities/Procedures
Invoicing
BUSINESS PROCESS FOCUS AREA
33
MonitoringMonitoring
Andrew Bellenkes, CPA
Senior Auditor
VF Corporation
34
COSO Model - Monitoring Component
COSO Model - Monitoring Component
Ongoing Monitoring - Management, supervisory, and other monitoring activities in the ordinary course of operations that assess the quality of internal controls
Separate Monitoring - Evaluation focusing directly on system effectiveness with a scope and frequency dependent on the assessment of risks, and ongoing monitoring
Reporting Deficiencies - Upstream reporting of internal control deficiencies, with certain matters reported to top management and the board
35
SEC Final Ruling - Monitoring
SEC Final Ruling - Monitoring
• Recognized control framework must be used as the basis of evaluation
• Sufficient procedures to evaluate the design and the test of internal controls over financial reporting
• Evidentiary matter must be maintained
• Quarterly evaluation of changes to internal controls over financial reporting
• Certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to annual, semi-annual and quarterly reports must be filed
Points of Focus...
36
Monitoring ComponentMonitoring Component
COSO Model
• Risk Assessment
• Monitoring
VF Hybrid Model
• Goals & Objective Setting
• Monitoring & Assessment
37
Essential Elements of Effective Monitoring
Essential Elements of Effective Monitoring
• Scope Changes
• Evidentiary Support- SEC Rules
- Archiving, Record Retention,
Rollover to the Next Period
• Training
• Internal Audit’s Role
• Extent/Vigor of Quarterly Assessments
38
Internal Audit Project Office
Corporate Controller’s Office
European Business Units
Asian Business Units
Domestic & Americas Business Units
Roles in Monitoring ControlsRoles in Monitoring Controls
39
Roles in Monitoring ControlsRoles in Monitoring Controls… Project Office/Internal Audit/Corporate Controller’s Office
Project Office• Corporate Communication• Training• Systems Administration (for internal controls
documentation database used)
Internal Audit• Review of Self-Testing by the Business Units• Coordination and Performance of Testing (for
external audit reliance, except for exempt areas)
40
Roles in Monitoring ControlsRoles in Monitoring Controls… Project Office/Internal Audit/Corporate Controller’s Office
Corporate Controller’s Office• Policies and Procedures Statements• Internal Control Design and Implementation• Technical Guidance
41
Roles in Monitoring ControlsRoles in Monitoring Controls
VF Risk CommitteeCorporate CFO - Chair
Project OfficeGeneral Auditor, Corporate
Controller, Internal Audit, Finance
External Advisory
VF JeanswearBU Owner
BU Coordinator
VF ImagewearBU Owner
BU Coordinator
VF IntimatesBU Owner
BU Coordinator
VF OutdoorBU Owner
BU Coordinator
VF EuropeBU Owner
BU Coordinator
VF CorporateBU Owner
BU Coordinator
VF Services FI/HRBU Owner
BU Coordinator
*Issue resolution:Ownership of finalaccountingdeterminations
… the Organization
VF ASIA /GSOBU Owner
BU Coordinator
Acquisition(s)?
VF IS/ITBU Owner
42
Roles in Monitoring ControlsRoles in Monitoring ControlsVF Risk Committee
Corporate CFO - Chair
Project OfficeGeneral Auditor, Corporate
Controller, Internal Audit, Finance
MaltaLocation Coordinator
UKLocation Coordinator
ItalyLocation Coordinator
VF EuropeBU Owner
BU Coordinator
GermanyLocation Coordinator
… VF Europe
BelgiumLocation Coordinator
PolandLocation Coordinator
43
Ongoing Monitoring Ongoing Monitoring … VF Methodology
• Ongoing Business Unit testing
• Integrated internal audit approach to test Business Unit compliance with Section 404 vs. Stand- alone audits of Accounting and Financial Reporting internal controls
• Quarterly certifications from Business Unit CFOs and CIOs
44
SummarySummary
• Analysis and assessment of soft controls is as critical as analysis and assessment of hard controls.
• Need for evaluation controls that span all five components of COSO.
• Business unit management owns the monitoring function.
