Post on 01-Dec-2014
description
1
Project Administration - Setting and revising priorities in the wake of the
"Final 404 Rules"
Project Administration - Setting and revising priorities in the wake of the
"Final 404 Rules"
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley
Session #4 – August 12, 2003
2
The IIA Webcast ModeratorThe IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P
3
DisclaimerDisclaimer
The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.
4
Emerging Trends and Best Practices in Implementing the
Sarbanes-Oxley Act
Emerging Trends and Best Practices in Implementing the
Sarbanes-Oxley Act• May 21 - Section 404 Readiness Review: How to document your
system of internal control• June 10 - Helping your audit committee implement complaint
handling• July 8 - Leveraging the COSO framework to meet Section 404
requirements• August 12 - Project Administration - Setting and revising priorities
in the wake of the "Final 404 Rules“• September 9 - Internal Audit support of Audit Committees - What
works best• September 30 - The Road Ahead - Meeting the challenges in
complying with The Sarbanes-Oxley Act
*Available online archive for one year and on CD
5
1:00 - 1:05 Introduction and Overview - Jim Key
1:05 - 1:25 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison
1:25 - 1:45 Preparing the 404 Work Plan – Kiko Harvey & David Richards** Combined Presentation
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key
AgendaAgenda
6
Management’s Report on Internal Control Over Financial
Reporting
Management’s Report on Internal Control Over Financial
Reporting
Sean Harrison, Esquire Special Counsel, Office of Rule Making
Division of Corporate FinanceU.S. Securities and Exchange
Commission
7
DisclaimerDisclaimer
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any of its employees. The views expressed in this presentation reflect the views of the author and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
8
What is Internal Control Over Financial Reporting?
What is Internal Control Over Financial Reporting?
The final rules define this term as:– A process designed by, or under the supervision of,
the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
9
What is Internal Control Over Financial Reporting?
What is Internal Control Over Financial Reporting?
• Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;
10
What is Internal Control Over Financial Reporting?
What is Internal Control Over Financial Reporting?
• Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and
11
What is Internal Control Over Financial Reporting?
What is Internal Control Over Financial Reporting?
• Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements
12
Management Report Requirements
Management Report Requirements
• A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
• A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting;
13
Management Report Requirements
Management Report Requirements
• Management’s assessment of the effectiveness of internal control over financial reporting as of the end of the company’s most recent fiscal year and disclosure of any material weaknesses in such control identified by management, if there is material weakness in the internal controls, management cannot conclude that the controls are effective; and
• A statement that the company’s auditor has issued an attestation report on management’s assessment.
14
Framework for Management’s Evaluation
Framework for Management’s Evaluation
• The new rules implicitly require management to use a “framework” to evaluate the company’s internal control and to identify the framework in the report.
• The rules do not prescribe the use of a particular framework, however, the rules state that the framework used must be a suitable, recognized control framework established by a body or group that has followed due-process procedures, including broad distribution of the framework for public comment.
15
Framework for Management’s Evaluation
Framework for Management’s Evaluation
• The release states a suitable framework must:– Be free from bias;– Permit reasonably consistent qualitative and
quantitative measurements of a company’s internal control;
– Be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls are not omitted; and
– Be relevant to an evaluation of internal control over financial reporting
16
Method of EvaluationMethod of Evaluation
• The new rules do not specify a method or procedures to be followed. However, the rules do state that a company must maintain evidential matter, including documentation, that provides reasonable support for management’s assessment of effectiveness.
• This is an inherent element of effective internal control and consistent with the internal accounting control requirements under section 13(b)(2) of the Exchange Act.
17
Method of EvaluationMethod of Evaluation• Evidential matter includes documentation regarding
both the design of internal control and the testing processes.
• This evidential matter should provide reasonable support: (1) for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; (2) for the conclusion that the tests were appropriately planned and performed; and (3) that the results of the tests were appropriately considered.
18
Material Weaknesses in Internal Control Over Financial
Reporting
Material Weaknesses in Internal Control Over Financial
Reporting• Management cannot conclude that the
company’s internal control over financial reporting is effective if there is a “material weakness” in such control. Any such material weakness must also be specifically disclosed.
• The term “material weakness” has the meaning under generally accepted auditing standards (or GAAS), including the AICPA’s Codification of Statements on Auditing Standards Section 325.
19
• It is possible that the PCAOB, will modify the definition of material weakness and significant deficiency.
• It is also worth noting that on June 20, 2003 the Auditing Standards Board (ASB) of the AICPA submitted for the consideration of the PCAOB recommendations for Professional Auditing Standards, that among other things, recommended changes to the definitions of “significant deficiency” and “material weakness.”
Material Weaknesses in Internal Control Over Financial
Reporting
Material Weaknesses in Internal Control Over Financial
Reporting
20
Quarterly EvaluationsQuarterly Evaluations
• Under the new rules, management will be required to perform quarterly evaluations of changes that have materially affected, or are reasonably likely to have a material effect on, the company’s internal control over financial reporting. If such a change occurred during a company’s fiscal quarter, the company will have to disclose the change in its quarterly report.
21
Quarterly EvaluationsQuarterly Evaluations
• This disclosure requirement replaces paragraph (b) in existing Item 307 of Regulations S-K and S-B regarding quarterly disclosure of changes in internal controls and corrective actions and is incorporated in new Item 308 of Regulations S-K and S-B.
22
Quarterly EvaluationsQuarterly Evaluations
• The new rules do not explicitly require disclosure about the reasons for the change, however, companies will have to determine, on a facts and circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosures in the report not misleading.
23
Auditor Independence Issues
Auditor Independence Issues
• Management and the company’s outside auditor will need to coordinate their processes of documenting and testing internal control over financial reporting.
• The adopting release reminded companies and their auditors that the Commission’s rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client.
24
Auditor Independence Issues
Auditor Independence Issues
• When the auditor is engaged to assist management in documenting internal controls or preparing evaluative tools, management must be actively involved in the process. Management cannot delegate its responsibility to assess its internal control over financial reporting to the auditor.
25
Compliance DatesCompliance Dates
• A company must begin to comply with the management report on internal control over financial reporting disclosure requirements for fiscal years ending on or after June 15, 2004, if it is an “accelerated filer,” as defined in Exchange Act Rule 12b-2 as of the end of its first fiscal year ending on or after June 15, 2004.
26
Compliance DatesCompliance Dates
• Companies that are non-accelerated filers, including small business issuers and foreign private issuers, must begin to comply with the disclosure requirements in annual reports for their first fiscal year ending on or after April 15, 2005.
27
Compliance DatesCompliance Dates
• All companies must begin to comply with the quarterly evaluation of changes to internal control over financial reporting requirements for its first periodic report due after the first annual report that must include management’s report on internal control over financial reporting.
28
1:00 - 1:10 Introduction and Overview - Jim Key
1:10 - 1:20 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison
1:20 - 1:40 Preparing the 404 Work Plan –Kiko Harvey & David Richards** Combined Presentation
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key
AgendaAgenda
29
Dave Richards, CIA, CPA
Director, Internal Auditing
FirstEnergy Corp.
30
Kiko Harvey, CPA
Director, Internal Audit
Starbucks Corporation
31
Preparing the 404 Work PlanPreparing the 404 Work Plan
A Step-by-Step Process
32
OverviewOverview
Step 1: Organize the Project Team / Communicate
Step 2: Set the Project Scope
Step 3: Develop Tools
Step 4: Documentation
Step 5: Test and Evaluate Controls
Step 6: Reporting
33
Step 1: Organize the Project Team/ Communicate
Step 1: Organize the Project Team/ Communicate
34
FirstEnergy 404 Project Team
Organization Chart
Internal Auditing
5 people
Controller's
1 personBusiness Unit
5 people
Project ManagerDirector, IA
Steering Committee
Disclosure Committee
VP - ControllerCROCIO VP - EDGeneral CounselBU Controller
35
TRAININGTRAINING• Core Team
– 404 Requirements– Co. Approach (process to be followed)– Guidelines– Documentation tool
• Process Owner• Process members (extended team)• Steering Committee• Audit Committee• Disclosure Committee
36
FinancialStatements
Processes Risk & ControlMatrix (draft)
Process AssessmentTeam
SOA 404 Annual Control Assessment Process
High level overview
MaterialityGuidelines
RiskGuidelines
37
Workshop(s) toconfirm Matrix
DesignAssessment
GAPSCorrectiveaction
No Gaps
WorkshopGuidelines
ICW
SOA 404 Annual Control Assessment Process
38
Testing to confirmcontrols
Testing ResultsAssessment
GAPS
No Gaps
Corrective action
Overallassessmentsstatements
TestingGuidelines
ICW
Test
Plan
SOA 404 Annual Control Assessment Process
39
Step 2: Scope the ProjectStep 2: Scope the Project
• Identify cycles that drive financial statement information
• Identify other key processes critical to the company’s success
• Map out significant transactions for each cycle and business process to form the basis for documenting controls
40
Step 2: Scope the ProjectStep 2: Scope the Project
Cycles Transactions
Example
Authorize
Credit
Maintain
Customer FilesInvoicing CollectingRevenue
Key Processes
Retail
Operations
Hiring, Training
& Scheduling
Employees
Point of Sale
Maintenance
Merchandising
& Promotions
Sales and Cash
Audit
Transactions
Analyzing
Bad Debt
Inventory
& Asset
Management
41
Step 2: Scope the ProjectStep 2: Scope the Project
• Map financial statement components to cycles and key processes
• Identify locations having a significant impact on the financial reporting environment for testing– Set materiality guidelines for balance sheet and P&L
(i.e. % assets, EPS impact)– Introduce project to remote accounting locations
selected for testing
42
Step 3: Develop ToolsStep 3: Develop Tools• Determine how you will organize the
documentation – consider using special purpose software (COSO based)
• Develop checklists– Control self-assessment questionnaires– Policies and procedures surveys– Segregation of duty templates
43
Step 4: DocumentationStep 4: Documentation
• Collect and inventory existing internal control documentation for cycles and key processes identified in scoping activity
• Distribute checklists to new locations or where information requires update
• Using the COSO documentation tool, document controls for all transaction cycles and key processes in a “controls repository” – replicate for locations selected for testing
44
Step 4: DocumentationStep 4: Documentation
Organization of Controls Repository
Example
Transaction
Identify
Risk
Identify
Control
Identified during scoping phase (by cycle and key process)
Map to financial statement accounts, disclosures, footnotes, etc.
Identify risks for each transaction based on financial statement assertions (existence, accuracy, completeness, etc.)
Document key control activities for each risk identified
Determine if preventive or detective in nature
Determine if automated or manual
Frequency of control activity (daily, monthly, quarterly)
45
• Testing definition• Objectives for testing• Methods (options) for testing• How to determine proper test• Expectations of results of test• Which controls to test (ID Key control)• Documentation
Step 5: Test and Evaluate
Controls - Testing Guidance
46
• Evaluation (expectations vs. results)• Frequency of testing• Who performs the test• Determination of “gaps”• Action plans• Identification of deficiency, significant
deficiency or material weakness• Retesting
Step 5: Test and Evaluate
Controls - Testing Guidance
47
Deficiency
SignificantDeficiency
Material Weakness
Control Activity /Technique
Multiple ControlActivities
COSO Financial Control
Objective not met
48
Control Objectives = COSO Financial Statement
Assertions1. Existence / Occurrence2. Completeness3. Measurement / Valuation4. Rights & Obligations Recorded5. Proper Classification & Disclosures6. Safeguarding of Assets7. Fraud Prevention / Detection
49
DeficiencyDeficiency
“Design gap” or “Operational gap”= Missing control (design)= Control objective not met (design)= Control not present (operational)= Control not operating as designed (operational)= Control cannot be confirmed (operational)= Inconsistent application (person performing
control not qualified) (operational)
50
Payroll ProcessPayroll ProcessControlObjective
Risk ControlActivity
Test Results
Completeness –allmaterialliabilitiesrecorded
All laborliabilitiesnotrecorded
Laboraccrual isbookedforunpaidtime
Accrual isautomaticbased onprior 2 wks
Overtime isNot accrued
New hiresout; exits in
51
Significant DeficiencySignificant Deficiency• Frequency of deficiencies noted• Errors in multiple controls tied to key
risk• More than one control activity contains
testing errors beyond expectations• Control objective key risks are mitigated
but only because one control activity has tested ok vs. all controls tied to the risk
52
Property AccountingProperty AccountingControlObjective
Risk ControlActivity
TestResults
Existenceof assets
Assetsnotrecorded
Purchaseordersissued bySC
BUpurchaseassets asexpense
Materialis chargedout ofwarehousebut notinstalled
53
Material WeaknessMaterial Weakness
• Key risks (HH) tied to control objective not mitigated
• Control objective cannot be achieved
• All controls designed to mitigate a risk have deficiencies
• Significant “material” transactions flow through the process ($10,000,000)
54
Process: Zai*net Deal Capture
Control Objective #2: Completeness of transactions
Key Risk #2.1: Transactions may be inaccurately recorded
Control Activity #2.1.4: Confirmation process used to ensure deals are captured & complete
Test: Select 30 transactions over test period; compare confirmsto Zai*net data (9 characteristics)
Account Mapping to Material Accounts = Processes
Expectation: all deals will be confirmed with all 9 characteristics matching
55
• Team meeting agendas & minutes• Assignments• Monthly report• Steering Committee meetings• Disclosure Committee meetings• Updates to Audit Committee• Updates to Senior Management (CEO, CFO,
President, Key VPs)• External Financial Audit Team
Step 6: 404 ReportingStep 6: 404 Reporting
56
1:00 - 1:10 Introduction and Overview - Jim Key
1:10 - 1:20 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison
1:20 - 1:40 Preparing the 404 Work Plan - Kiko Harvey & David Richards** Combined Presentation
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key
AgendaAgenda
57
SummarySummary
• Interpretation of SEC Rules is subjective
• Check SEC website www.sec.gov regularly for regulatory actions
• Approach 404 management assessment of internal controls as major project
• Apply project management disciplines to ensure compliance
58
The IIA Webcast ModeratorThe IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P