Gaining Financial Integrity Through Improved Internal...

Gaining Financial Integrity Through Improved Internal Controls

SAP Management ofInternal Controls Tool

PwC and SAP Sarbanes-Oxley 404

Web Conference SeriesMarch 2004

William R. Shipley, Partner, IT Advisory Services, PricewaterhouseCoopers LLP

Brian Parker, Senior Manager, IT Advisory Services, PricewaterhouseCoopers LLP

David Nelson, Product Management mySAP ERP Financials, SAP

Agenda – Management of Internal Controls (MIC)

SOA Sections 302 and 404

COSO Framework for the Evaluation of Internal Controls

Timeline for SOA MIC Project

Initial Documentation of Internal Controls

Assessment and Remediation of IC

Test and Remediation of IC

Sign-Off and Reporting

Questions and Additional Information

Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOA) was enacted by the US Congress on July 30, 2002 and applies to all companies registered with the Securities and Exchange Commission. Such a registered company is one that is traded on a stock market in the US (e.g. NYSE, Nasdaq, etc.). SOA establishes heightened requirements in the area of corporate governance, financial disclosures, and accountability for fraud. Specifically, it requires organizations to periodically evaluate and certify/report as to the effectiveness of their internal control. Other countries are expected to determine the need for and possibly also establish guidance or requirements (e.g. German government has issued a 10-Point Plan on corporate governance standards in February 2003)

The SEC defines Internal Control (applying a framework known as COSO) as a process that is carried out by an entity’s board of directors, management and other personnel, and designed to provide reasonable assurance regarding the achievement of control objectives in the following categories:

• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations

Sarbanes-Oxley Act – Software relevant Sections

Section Requirement

301 The audit committee shall establish procedures for the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters

302 Management responsibility for effective disclosure controls and procedures over financial reporting, operations and complianceDisclosure of significant deficiencies in internal control to audit committee and external auditors

Certification of contents of SEC reports by CEO and CFO

401 Include in financial reports all material correcting adjustments that have been identified by the external auditors

Provide investors with a clear understanding of the company’s off-balance sheet arrangements and their material effects

404 Annual report should include a report by management on the effectiveness of internal control over financial reporting

Documentation of control design and effectiveness testingDisclosure of any material weaknessesAttestation by external auditors

Note: Further periodic disclosure requirements are covered under Section 302

409 Rapid and current information on material changes in the financial condition or operations, including trend and qualitative information for protection of investors and in the public interest

Section 302 – Requirements

Certification of Disclosure in Companies’ Quarterly and Annual ReportsManagement responsibility for effective disclosure controls and procedures over financial reporting, operations and complianceDisclosure of significant deficiencies in internal control to audit committee and external auditorsCertification of contents of SEC reports* by CEO and CFO

(*) filed annually and/or quarterly, depending on size and location of company

ActivityIdentify scope of the company’s disclosure controls and proceduresDocument business processes and process controls over all major activities within an entity (beyond solely processes impacting financial reporting)Assess internal control effectivenessIdentify and track resulting issues and remediation plansCascade the accountability for control evaluation and roll up the results (e.g. resulting in a dashboard confirming ability to sign certification)

Section 404 – Requirements

Management Report on Internal Control Over Financial ReportingAnnual report should include a report by management on the effectiveness of internal control over financial reporting

Documentation of control design of effectiveness testingDisclosure of any material weaknessesAttestation by external auditors

Note: Further periodic requirements are covered under Section 302

ActivityIdentify areas of scope relevant for evaluating the effectiveness of internal control over financial reportingDocument the design of significant controls Perform evaluation of control design and effectiveness Identify resulting control issues and monitor remediationDocument changes in processes and controls; surface any associated issuesPrepare internal control reportAttestation by external auditors











Committee of Sponsoring Organization (COSO)Initiated in 1988 by the US Congress

COSO was written in 1992

SEC refers to the COSO framework for the definition of internal controls

COSO is not a must-have in terms of SOA or for SEC – it is an example of an appropriate framework.

COSO goes beyond the “activity-based” definition of internal controls by SEC, by introducing 5 COSO Components

Monitoring

Information & Communication (of policies and rules)

Control Activities

Risk Assessment

Control Environment

COSO and SOA

Disclosure Controls & Procedures (Section 302)

Other aspects of compliance and operations pertaining to DC&P

LEGEND:

Internal Accounting

Controls

Financial Reporting

Compliance&

Regulatory

Operations

Contro

l

Enviro

nmen

t

Risk

Asses

smen

t

Control

Activit

ies

Infor

mation

&

Commun

icatio

nMonito

ring

Process 1

Process 2

Business Unit 2

Business Unit 1

• COSO: Leading Framework for SOA Compliance on Internal Control

• The SEC states: “The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements.”

• Furthermore, the Institute of Internal Auditors Research Foundation indicates that 63% of publicly held companies use the COSO framework of internal control (February 2003)

Internal control over financial reporting (Section 404)

COSO Cube

COSO – Categories of Control Objectives

Category of Control Objective

Operational Financial Compliance & Regulatory

Control Objectives

EffectivenessEfficiency

CompletenessAccuracyValidityRestricted Access

TaxEnvironmentalHealthSafety

SOA Section 302 Relevance

Yes Yes Yes

SOA Section 404 Relevance

Marginal Yes Marginal










MIC Solution Detail

Documentation of Internal Controls

Controls

Management Controls

Assessment and Remediation

Control Design Assessment

Control Efficiency Assessment

Process Design Assessment

Management Controls Assessment

Identification of Issues

Validation of Assessments

Remediation of Issues

Progress Tracking and Analysis

Testing & Remediation

Documentation of Testing Results

Identification of Issues

Remediation of Issues

Progress Tracking and Analysis

Scoping & Project Set-up

Identification of Org. Units and Processes in scope

Org. Unit Hierarchy

Central Process Catalog

Assignment of Processes to FS Accounts

Central Catalog of Control Objectives and Risks

Assignment of Processes to BU‘s

Reporting & Sign-off

Analysis Overviews with Drill-down Functionality

Management Reports

Workflow-triggered Sign-off supporting 404 Reporting / 302 Certification

Basis 6.20 / SAP WebAS

SOA Section 404 TimelineLegend: ManagementAddressing Requirements in Year 1

External Auditor

I. Project Set-Up and Scoping

Financial Year-End Close

Auditor attest to 404 Report

Description of

• Processes

• Control objectives

• Risks

• Controls

Define management requirements

Assessment of control design and efficiency within the process

Definition of project structure

Scoping

Assessment of control design and efficiency at control level

Management testing of control effectiveness

Identify Mgmt. controls

Org. Unit review and sign-off

Roll-up for sign-off

404 Report Filing Deadline

Prepare 404 Report

II. Documentation

of Internal Control

IV.Testing &

Remediation of Internal Control Effectiveness

V. Sign-Off & Reporting

III.Mgmt. Assessment and Remediation of

Internal Control Design & Efficiency

Control design & efficiency remediation

Process design & efficiency remediation

Control effectiveness remediation

External auditors perform process walkthroughs

External auditors guidance

External auditors review of remediation plans

External auditors testing of internal control and review of 404 Report

SOA Section 404 TimelineLegend: ManagementAddressing Requirements in Year n

External Auditor

Financial Year-End Close

Auditor attest to 404 Report

Review/ revise project structure, as needed

Management testing of control effectiveness

Org. Unit review and sign-off

Roll-up for sign-off

404 Report Filing Deadline

Prepare 404 Report

I. Open Year n III. Testing & Remediation of Internal Control Effectiveness

II. Quarterly Control Assessment Review

(Year n - Q1, Q2, Q3)

Control effectiveness remediation

IV. Sign-Off & Reporting

External auditors perform process walkthroughs

External auditors testing of internal control and review of 404 Report

Review/ revise scoping, as needed

Review/ revise description of processes, control objectives, risks and controls

Ongoing monitoring for change and process/control issues; update documentation; report to Management

Q1 Evaluation of Change in IC

Q2, Q3, Q4 Evaluation of Change in IC

Repeat steps for Q2, Q3, Q4

Review/ revise assessment of control design and efficiency at control level

Review/ revise assessment of control design and efficiency within the process

Process Review & Sign-Off

Roll-Up for Sign-Off

Freeze data from Year n Q1 and set up new version for next Quarter

Review/ revise Mgmt. controls










Organizational Units

No restrictions to building Org.Unit hierarchies with unlimited amounts of levels

Org.Unit hierarchy can be automatically created from

HR ORG

BW hierarchies(SEM-BCS, FI, EC-PCA, ...)

Corporate

Legal Entity LE1

Legal Entity LE2

Business Unit BU1

Business Unit BU2

...

Shared Services

IT

HR

Organizational Hierarchy

Screenshots are included for illustrative purposes only. Screen design, navigation, and functionality are subject to change.

Central Process Catalog (BU-independent Process Hierarchy)

Process Hierarchy

Corporate and Business Units define one central catalog of processes - w/o process steps.

Only those processes are included that have a material impact on financial reporting (Section 404) or disclosure controls and procedures (Section 302)

Processes

R & D

Marketing

Procurement

Production

Sales & Distribution

Finance

Human Resources

IT

Legal & Regulatory

Supplier selection

Bid and contract Mgmt.

Financial Accounting

Financial Reporting

A/R...

Sales

Examples of process groups

Process P1: Order Processing...

Central Process Catalog


Impact of Processes on Financial Accounts

Processes


Sales

Process hierarchy Financial Statement Accounts

Process P1: Order Processing...

Accounts Receivable

Balance Sheet...

...

...

...

Assets Liabilities

...

Profit / Loss Statement

...

Inventory

...

...

...

Revenue

...

...

Cash Flow Statement

...

...

...

...

Processes can impact one or several FS accounts

Processes in the central catalog of processes will be linked to the relevant financial statement accounts or account groups (intervals).

...

Process P2: ...

Process & Control Documentation – Linking Processes to FS Accounts


Control Objectives and Risks

Control Objectives and Risks are defined in a central catalog by Corporate and BUs

Processes

R & D


Sales

Process P1: Order Processing

Control ObjectivesA Control Objective is a statement that captures the purpose of controls within the process. Several control objectives are likely to be defined for each process. Following the COSO framework, control objectives may be categorized as Financial, Operational or Compliance related.Control Objective CO1

Risk R1 RiskA risk is a potential event that adversely impacts the desired outcome of control objectives.

Risk R2

Control Objectives and Risks are used for a BU specific Risk Assessment and Control Evaluation.

Corporate wide: P-CO-R Process – Control Objective – Risk

BU-specific: P-CO-R-C Process – Control Objective – Risk - Control

Central Catalog: Process – Control Objective - Risk

Process Control Objective Control Objective Category

Risk

Accepting orders from unauthorized or insolvent customers

Sales Orders are properly authorized

Financial Reporting

Commitment to unauthorized prices or terms

Customer finds process difficult to understand

Customers receive quality service throughout the ordering process Employees lack the necessary

customer service skills

......

...

... ...

Operations

Sales

Central Process Catalog: P-CO-R


Process assignment to Business Units

Assignment of processes to BUs

BUs choose from the central process catalog those processes that are applicable and in scope for their BU.

Corporate

Legal Entity LE1

Business Unit BU1


Sales

Process P1: Order Processing

Procurement

...

By assigning a process to a BU, the relating Process Groups are automatically inherited from the central process catalog.

Process assignment to Business Units

Processes are assigned to Org. Units from the central process catalog

Pop-up with Central Process Catalog for process selection











Control Design Assessment – Workflow

1) Personalized, User-specific Start Page with a ToDo List

Perform Assessment of Control Design


Control Design Assessment – Workflow

2) Detail Screen, where the assessment is to be performed


MIC Role Concept

SAP delivers a catalog of available tasks that can beperformed in the MIC Application:

...31 Assess control design32 Validate design issue33 View control design assessment...

SAP provides ready-to-use Roles

CFO Assistant

BU Manager

Process Group Owner

...

Assigned tasks:View org.structureAssign process group ownersAssess management controlsView operational & management reports

The Power User may define additional Roles and edit/delete existingones

Role Concept: Assigning Names to Roles

Business User of BU1 enters the names for each role in his area of responsibility

Entity:

PG

Title:

Procurement

PG Sales & Distr.

Assignment of Roles at the Org. Unit Level

Role: Name:

PG Owner

PG Owner

John Smith

Joe Black

Corporate

Legal Entity LE1

Business Unit BU1


Sales

Process P1

Procurement

...

Poweruser creates User-IDsBenefits:1) Central maintenance of roles, their tasks and authorizations2) Assignment of persons to roles can be set-up and modified by business users at all

levels – following a cascading delegation principle3) This roles / task concept generates automatically the appropriate workflow tasks










Analysis Trees and Reports – PG-P-PS for Testing










Sign-Off by Org Unit


The sign-off indicates that all information contained in the tool, e.g. processes and controls identified, control ratings, etc. are adequate and up-to-date.

Issues and remediation plans may still be open at the stage of sign-off. Sign-off’s with outstanding red ratings require comments and may prevent the CEO and CFO from submitting a clean 302 Certification / 404 Report. They would need to disclose those outstanding points to SEC / public.

Reporting: Process Group – Process – Process Step View


• What ratings exist for certain controls?

• Are controls in the right place (missing / redundant) within the process?

• Are there issues associated with these controls / processes / process groups?

• Who is responsible for a given control / processes / process groups?

Reporting: Process – Control Objective – Risk – Control View


• Which control objectives and risks are not addressed?

• What is the state of internal controls addressing individual risks within a given process?










Q & A

Questions?

Instructor Contact and Additional Information

SAP Solution Management David Nelson – [email protected] Anderson – [email protected]

PwC William Shipley – [email protected] Parker – [email protected]

mailto:[email protected]




Copyright 2002 SAP AG. All rights reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.ORACLE® is a registered trademark of ORACLE Corporation.INFORMIX®-OnLine for SAP and Informix® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA® is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAPEarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP Business Suite Logo andmySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.

Date post:	11-Apr-2018
Category:	Documents
Upload:	hatuong
View:	221 times
Download:	3 times

Gaining Financial Integrity Through Improved Internal...

Documents