Date post: | 18-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
CAIB PRE-CONFERENCE TRAINING
Audit Committees: Making Corporate Governance work in the Caribbean
June 21, 2007
Risk Advisory Services
2 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Program Agenda
IntroductionBackground
Perspective;
Objectives of Sarbanes-Oxley Act;
Management’s Responsibilities;
Key SOX provisions relating to Audit Committees;
Impact of SOX on the Caribbean.
3 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Program Agenda
What is SOX?
COSO Internal Control Framework – A Summary of Components
• A brief discussion on SOX testing
procedures;• Sample sizes and control frequency;• Evaluating test results and control
deficiencies;• Deficiency Assessment.
5 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Program Objectives
• Discuss briefly the background and framework of Sarbanes-Oxley Act’s 404 (SOX) requirements.
• Impact of SOX on Caribbean Financial Institutions.
• SOX testing procedures.
• A SOX approach to Internal Controls as a Fraud Management tool.
7 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
• Enron – shock!
• WorldCom – action!
• Ahold, Parmalat, Hollinger
• Nortel, Shell
• Restore investor confidence
• Increased transparency
These may have been the catalyst, but investors are demanding a higher standard of care. Markets have reacted to restore investor confidence.
Perspective
8 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Objectives of the Sarbanes-Oxley Act
• Increase the accountability of management of public companies;
• Improve Corporate Governance;
• Increase the oversight of public accounting firms;
• Restore investor confidence in the capital markets.
9 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Management’s Responsibilities under SOX
• Accept responsibility for the effectiveness of the Company’s internal control over financial reporting.
• Evaluate the effectiveness of internal control over financial reporting using suitable control criteria.
• Support its evaluation with sufficient evidence, including documentation and appropriate evidence of existence and effectiveness of internal controls.
10 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Management’s Responsibilities under SOX
• Present a written assessment about the effectiveness of internal control over financial reporting as of the end of the Company’s most recent fiscal year.
11 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Key SOX Provisions Relating to Audit Committees
The Sarbanes-Oxley act has required Audit Committees to adhere to certain provisions as follows:
• Each member of the Audit Committee must be independent.
• At least one of the members must be a “Financial Expert”.
• Directly responsible for appointment compensation and oversight of the public accounting firm.
12 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Key SOX Provisions Relating to Audit Committees (Cont’d)
• All auditing and non-auditing services must be pre-approved by committee.
• Establish procedures for handling complaints (whistleblower protection)
• Discuss with auditor prior to issuing audited financial statement:
• Have authority to engage independent counsel and other advisors.
- Critical accounting policies and alternative treatments
- Management letter, waived adjustments and material written communications
13 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Impact of SOX on the Caribbean
Over the last 3 years global companies have had to come to grips with the implementation and reporting requirements of Sections 302 and 404 of the US Sarbanes-Oxley Act – SOX 302 and 404. The SOX Act spells out the various roles of management, the audit committee, and the external auditors.
To this end the effects of the SOX Act has had an effect on Corporate Governance regionally. While the Act does not govern the regional companies, many of the large global companies have implemented various teams to ensure that even regional subsidiaries are SOX 404 compliant.
14 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Impact of SOX on the Caribbean (Cont’d)Though the Sarbanes-Oxley is a U.S. legislation and only required by companies quoted on U.S. stock exchanges, there are a few benefits to adopting a SOX-like strategy to regional organizations as follows:
• Assists Directors in administering their Corporate Governance responsibilities;
• Developing Internal Controls that facilitate a robust internal fraud management strategy;
• Acts as another way of making local Financial Institutions more attractive to foreign investors;
15 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Impact of SOX on the Caribbean (Cont’d)
• Creates an environment that makes it easier for regional Financial Institutions to adopt new legislations such e.g. Anti-Money Laundering;
• Facilitates the development of an Enterprise Risk Management Strategy.
17 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
COSO* Internal Control Framework A Summary of the Components
Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people
Control Activities – These policies and procedures help ensure management directives are carried out
Information and Communication – Pertinent information must be identified, captured, and communicated in a form and time frame that supports all other control components.
Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the systems’ performance over time.
Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level
The COSO framework is a model against which the components of internal control within an organization can be measured and evaluated. This report is representative of one of the ways management applies its assessment of risk at the entity level. This assessment is in line with the risk categories of COSO across the top of the cube (Operations, Financial Reporting, and Compliance). See page 11 for a definition of internal control.
*Committee of Sponsoring Organizations of the Treadway Commission
18 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
COSO* Internal Control Framework A Summary of the Components
*Committee of Sponsoring Organizations of the Treadway Commission
Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Financial Reporting
The absence of a key financial control causes a material error in the financial statements, including the footnotes
Compliance with Laws and Regulations
Company is in violation of applicable regulatory requirements
Efficiency and Effectiveness of Operations
Company does not meet strategic objectives
The process does not operate efficiently
Customers are not satisfied with services received
20 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Sample Sizes and Control Frequency
Determine the extent of tests
of controls
Manual ControlApplication
Control (programmed)
Annually
Quarterly
Monthly Weekly
Many time per day or daily or performed frequently but less
than daily
General Controls are ineffective
1 2 3 10 25Test
Extents*
* Larger sample sizes may be appropriate when:
General Controls
are effective
• Deviations from designed controls are expected
• Likelihood of errors or override is considered other than low
• The control is « primary » or only control related to a significant account
• Control is applied by a number of different personnel at various locations
21 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Nature of Control and Frequency of Performance
Minimum Number of Items to Test (Extent of Test of Controls)
Manual control, performed many times per day At least 25
Manual control, performed daily At least 25
Manual control, performed frequently but less than daily
25% of the number of occurrences or at least 25
Manual control, performed weekly At least 10
Manual control, performed monthly At least 3
Manual control, performed quarterly At least 2
Manual control, performed annually Test annually
Automated control Test one application of each programmed control for each type of transaction if supported by effective IT general controls (that have been tested); otherwise test at least 25
IT general controls Follow guidance above for manual and programmed aspects of IT general controls
Sample Testing Guidance
Sample Sizes and Control Frequency
22 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Evaluating the Testing Results
Control operates effective
ly
Control deficiencies/ exceptions were
found
Amend decision to rely on control and consider
another control
Address deficiency
Extend test extents **
Additional exceptions
notedNo additional exceptions
Evaluate Design
Effectiveness of Control
** If after evaluating the exception, it is determined to be isolated, consider expanding the sample size. (for example, by an addition 10 tests for each exception)
Evaluate the Testing Results
Select key controls
23 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Assessment of Control Deficiencies
3 levels:
Inconsequential;
Significant Deficiency;
Material Weakness.
24 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Control Deficiencies
Significant Deficiency
• A control deficiency that adversely affects the Company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP.
• Could be a single deficiency or a combination of deficiencies that results in more than a remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential will not be prevented or detected.
25 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Control Deficiencies
Significant Deficiency
• Material Weakness;• A significant deficiency, or a combination of significant
deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected;
• Material Weakness = Adverse Opinion;
• “Remote”: the chance of the future event or events occurring is slight.
26 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Evaluating Significant Deficiencies
• Must evaluate all identified deficiencies in internal control over financial reporting for significance based on:
• Likelihood that a deficiency, or combination of deficiencies, could result in a misstatement of an account balance or disclosure.
• Magnitude of the potential misstatement resulting from the deficiency or deficiencies.
• Evaluation of significance includes both quantitative and qualitative factors.
• Maintain a log of all deficiencies:• Requires aggregation – all locations reporting.
28 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Accountability and Control Red Flags
• Lack of separation of duties;
• Lack of physical security and/or key control;
• Weak links in chain of controls and accountability.
• Missing independent checks on performance;
• Lax management style;
• Poor system design;
• Inadequate training.
29 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
How to Minimize Fraud Risk
• Adhere to policies/procedures (especially documentation and authorization);
• Ensure physical security over assets;
• Provide proper training to employees;
• Independently review and monitor tasks;
• Provide for segregation of duties;
• Establish clear line of authority;
• Rotate duties in positions susceptible to fraud;
• Ensure employees take regular vacations;
• Schedule regular independent audits of areas susceptible to fraud;
• Ensure background check for employees handling financial transactions;
30 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
How to Minimize Fraud Risk
• Make sure internal controls are being followed;
• Review, Review, Review!
• Ask for documentation;
• Ensure that one person dos not have total responsibility for a process;
• Evaluate performance regularly;
• Report suspicious activity.
32 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.
Contacts
Frederick Bernard KPMG BarbadosPhone: 1-246-427-5230Mobile: 1-246-233-2883Email: [email protected]
Michael Edghill
KPMG Barbados
Phone: 1-246-427-5230
Mobile: 1-246-231-1111
Email: [email protected]
Rendra Gopee
KPMG Barbados
Phone: 1-246-427-5230
Mobile: 1-246-233-5165
Email: [email protected]
Frank Myers
KPMG St. Lucia
Phone: 1-758-4531471
Email: [email protected]