All panelists

58
1 Project Administration - Setting and revising priorities in the wake of the "Final 404 Rules" The Institute of Internal Auditors Webcast Series on Sarbanes- Oxley Session #4 – August 12, 2003

description

 

Transcript of All panelists

Page 1: All panelists

1

Project Administration - Setting and revising priorities in the wake of the

"Final 404 Rules"

Project Administration - Setting and revising priorities in the wake of the

"Final 404 Rules"

The Institute of Internal Auditors

Webcast Series on Sarbanes-Oxley

Session #4 – August 12, 2003

Page 2: All panelists

2

The IIA Webcast ModeratorThe IIA Webcast Moderator

Jim Key, CIA

Managing Partner

Shenandoah Group, L.L.P

Page 3: All panelists

3

DisclaimerDisclaimer

The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.

Page 4: All panelists

4

Emerging Trends and Best Practices in Implementing the

Sarbanes-Oxley Act

Emerging Trends and Best Practices in Implementing the

Sarbanes-Oxley Act• May 21 - Section 404 Readiness Review: How to document your

system of internal control• June 10 - Helping your audit committee implement complaint

handling• July 8 - Leveraging the COSO framework to meet Section 404

requirements• August 12 - Project Administration - Setting and revising priorities

in the wake of the "Final 404 Rules“• September 9 - Internal Audit support of Audit Committees - What

works best• September 30 - The Road Ahead - Meeting the challenges in

complying with The Sarbanes-Oxley Act

*Available online archive for one year and on CD

Page 5: All panelists

5

1:00 - 1:05 Introduction and Overview - Jim Key

1:05 - 1:25 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison

1:25 - 1:45 Preparing the 404 Work Plan – Kiko Harvey & David Richards** Combined Presentation

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers – Panel

2:25 - 2:30 Concluding Remarks – Jim Key

AgendaAgenda

Page 6: All panelists

6

Management’s Report on Internal Control Over Financial

Reporting

Management’s Report on Internal Control Over Financial

Reporting

Sean Harrison, Esquire Special Counsel, Office of Rule Making

Division of Corporate FinanceU.S. Securities and Exchange

Commission

Page 7: All panelists

7

DisclaimerDisclaimer

As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any of its employees. The views expressed in this presentation reflect the views of the author and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.

Page 8: All panelists

8

What is Internal Control Over Financial Reporting?

What is Internal Control Over Financial Reporting?

The final rules define this term as:– A process designed by, or under the supervision of,

the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

Page 9: All panelists

9

What is Internal Control Over Financial Reporting?

What is Internal Control Over Financial Reporting?

• Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;

Page 10: All panelists

10

What is Internal Control Over Financial Reporting?

What is Internal Control Over Financial Reporting?

• Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and

Page 11: All panelists

11

What is Internal Control Over Financial Reporting?

What is Internal Control Over Financial Reporting?

• Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements

Page 12: All panelists

12

Management Report Requirements

Management Report Requirements

• A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

• A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting;

Page 13: All panelists

13

Management Report Requirements

Management Report Requirements

• Management’s assessment of the effectiveness of internal control over financial reporting as of the end of the company’s most recent fiscal year and disclosure of any material weaknesses in such control identified by management, if there is material weakness in the internal controls, management cannot conclude that the controls are effective; and

• A statement that the company’s auditor has issued an attestation report on management’s assessment.

Page 14: All panelists

14

Framework for Management’s Evaluation

Framework for Management’s Evaluation

• The new rules implicitly require management to use a “framework” to evaluate the company’s internal control and to identify the framework in the report.

• The rules do not prescribe the use of a particular framework, however, the rules state that the framework used must be a suitable, recognized control framework established by a body or group that has followed due-process procedures, including broad distribution of the framework for public comment.

Page 15: All panelists

15

Framework for Management’s Evaluation

Framework for Management’s Evaluation

• The release states a suitable framework must:– Be free from bias;– Permit reasonably consistent qualitative and

quantitative measurements of a company’s internal control;

– Be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls are not omitted; and

– Be relevant to an evaluation of internal control over financial reporting

Page 16: All panelists

16

Method of EvaluationMethod of Evaluation

• The new rules do not specify a method or procedures to be followed. However, the rules do state that a company must maintain evidential matter, including documentation, that provides reasonable support for management’s assessment of effectiveness.

• This is an inherent element of effective internal control and consistent with the internal accounting control requirements under section 13(b)(2) of the Exchange Act.

Page 17: All panelists

17

Method of EvaluationMethod of Evaluation• Evidential matter includes documentation regarding

both the design of internal control and the testing processes.

• This evidential matter should provide reasonable support: (1) for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; (2) for the conclusion that the tests were appropriately planned and performed; and (3) that the results of the tests were appropriately considered.

Page 18: All panelists

18

Material Weaknesses in Internal Control Over Financial

Reporting

Material Weaknesses in Internal Control Over Financial

Reporting• Management cannot conclude that the

company’s internal control over financial reporting is effective if there is a “material weakness” in such control. Any such material weakness must also be specifically disclosed.

• The term “material weakness” has the meaning under generally accepted auditing standards (or GAAS), including the AICPA’s Codification of Statements on Auditing Standards Section 325.

Page 19: All panelists

19

• It is possible that the PCAOB, will modify the definition of material weakness and significant deficiency.

• It is also worth noting that on June 20, 2003 the Auditing Standards Board (ASB) of the AICPA submitted for the consideration of the PCAOB recommendations for Professional Auditing Standards, that among other things, recommended changes to the definitions of “significant deficiency” and “material weakness.”

Material Weaknesses in Internal Control Over Financial

Reporting

Material Weaknesses in Internal Control Over Financial

Reporting

Page 20: All panelists

20

Quarterly EvaluationsQuarterly Evaluations

• Under the new rules, management will be required to perform quarterly evaluations of changes that have materially affected, or are reasonably likely to have a material effect on, the company’s internal control over financial reporting. If such a change occurred during a company’s fiscal quarter, the company will have to disclose the change in its quarterly report.

Page 21: All panelists

21

Quarterly EvaluationsQuarterly Evaluations

• This disclosure requirement replaces paragraph (b) in existing Item 307 of Regulations S-K and S-B regarding quarterly disclosure of changes in internal controls and corrective actions and is incorporated in new Item 308 of Regulations S-K and S-B.

Page 22: All panelists

22

Quarterly EvaluationsQuarterly Evaluations

• The new rules do not explicitly require disclosure about the reasons for the change, however, companies will have to determine, on a facts and circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosures in the report not misleading.

Page 23: All panelists

23

Auditor Independence Issues

Auditor Independence Issues

• Management and the company’s outside auditor will need to coordinate their processes of documenting and testing internal control over financial reporting.

• The adopting release reminded companies and their auditors that the Commission’s rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client.

Page 24: All panelists

24

Auditor Independence Issues

Auditor Independence Issues

• When the auditor is engaged to assist management in documenting internal controls or preparing evaluative tools, management must be actively involved in the process. Management cannot delegate its responsibility to assess its internal control over financial reporting to the auditor.

Page 25: All panelists

25

Compliance DatesCompliance Dates

• A company must begin to comply with the management report on internal control over financial reporting disclosure requirements for fiscal years ending on or after June 15, 2004, if it is an “accelerated filer,” as defined in Exchange Act Rule 12b-2 as of the end of its first fiscal year ending on or after June 15, 2004.

Page 26: All panelists

26

Compliance DatesCompliance Dates

• Companies that are non-accelerated filers, including small business issuers and foreign private issuers, must begin to comply with the disclosure requirements in annual reports for their first fiscal year ending on or after April 15, 2005.

Page 27: All panelists

27

Compliance DatesCompliance Dates

• All companies must begin to comply with the quarterly evaluation of changes to internal control over financial reporting requirements for its first periodic report due after the first annual report that must include management’s report on internal control over financial reporting.

Page 28: All panelists

28

1:00 - 1:10 Introduction and Overview - Jim Key

1:10 - 1:20 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison

1:20 - 1:40 Preparing the 404 Work Plan –Kiko Harvey & David Richards** Combined Presentation

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers – Panel

2:25 - 2:30 Concluding Remarks – Jim Key

AgendaAgenda

Page 29: All panelists

29

Dave Richards, CIA, CPA

Director, Internal Auditing

FirstEnergy Corp.

Page 30: All panelists

30

Kiko Harvey, CPA

Director, Internal Audit

Starbucks Corporation

Page 31: All panelists

31

Preparing the 404 Work PlanPreparing the 404 Work Plan

A Step-by-Step Process

Page 32: All panelists

32

OverviewOverview

Step 1: Organize the Project Team / Communicate

Step 2: Set the Project Scope

Step 3: Develop Tools

Step 4: Documentation

Step 5: Test and Evaluate Controls

Step 6: Reporting

Page 33: All panelists

33

Step 1: Organize the Project Team/ Communicate

Step 1: Organize the Project Team/ Communicate

Page 34: All panelists

34

FirstEnergy 404 Project Team

Organization Chart

Internal Auditing

5 people

Controller's

1 personBusiness Unit

5 people

Project ManagerDirector, IA

Steering Committee

Disclosure Committee

VP - ControllerCROCIO VP - EDGeneral CounselBU Controller

Page 35: All panelists

35

TRAININGTRAINING• Core Team

– 404 Requirements– Co. Approach (process to be followed)– Guidelines– Documentation tool

• Process Owner• Process members (extended team)• Steering Committee• Audit Committee• Disclosure Committee

Page 36: All panelists

36

FinancialStatements

Processes Risk & ControlMatrix (draft)

Process AssessmentTeam

SOA 404 Annual Control Assessment Process

High level overview

MaterialityGuidelines

RiskGuidelines

Page 37: All panelists

37

Workshop(s) toconfirm Matrix

DesignAssessment

GAPSCorrectiveaction

No Gaps

WorkshopGuidelines

ICW

SOA 404 Annual Control Assessment Process

Page 38: All panelists

38

Testing to confirmcontrols

Testing ResultsAssessment

GAPS

No Gaps

Corrective action

Overallassessmentsstatements

TestingGuidelines

ICW

Test

Plan

SOA 404 Annual Control Assessment Process

Page 39: All panelists

39

Step 2: Scope the ProjectStep 2: Scope the Project

• Identify cycles that drive financial statement information

• Identify other key processes critical to the company’s success

• Map out significant transactions for each cycle and business process to form the basis for documenting controls

Page 40: All panelists

40

Step 2: Scope the ProjectStep 2: Scope the Project

Cycles Transactions

Example

Authorize

Credit

Maintain

Customer FilesInvoicing CollectingRevenue

Key Processes

Retail

Operations

Hiring, Training

& Scheduling

Employees

Point of Sale

Maintenance

Merchandising

& Promotions

Sales and Cash

Audit

Transactions

Analyzing

Bad Debt

Inventory

& Asset

Management

Page 41: All panelists

41

Step 2: Scope the ProjectStep 2: Scope the Project

• Map financial statement components to cycles and key processes

• Identify locations having a significant impact on the financial reporting environment for testing– Set materiality guidelines for balance sheet and P&L

(i.e. % assets, EPS impact)– Introduce project to remote accounting locations

selected for testing

Page 42: All panelists

42

Step 3: Develop ToolsStep 3: Develop Tools• Determine how you will organize the

documentation – consider using special purpose software (COSO based)

• Develop checklists– Control self-assessment questionnaires– Policies and procedures surveys– Segregation of duty templates

Page 43: All panelists

43

Step 4: DocumentationStep 4: Documentation

• Collect and inventory existing internal control documentation for cycles and key processes identified in scoping activity

• Distribute checklists to new locations or where information requires update

• Using the COSO documentation tool, document controls for all transaction cycles and key processes in a “controls repository” – replicate for locations selected for testing

Page 44: All panelists

44

Step 4: DocumentationStep 4: Documentation

Organization of Controls Repository

Example

Transaction

Identify

Risk

Identify

Control

Identified during scoping phase (by cycle and key process)

Map to financial statement accounts, disclosures, footnotes, etc.

Identify risks for each transaction based on financial statement assertions (existence, accuracy, completeness, etc.)

Document key control activities for each risk identified

Determine if preventive or detective in nature

Determine if automated or manual

Frequency of control activity (daily, monthly, quarterly)

Page 45: All panelists

45

• Testing definition• Objectives for testing• Methods (options) for testing• How to determine proper test• Expectations of results of test• Which controls to test (ID Key control)• Documentation

Step 5: Test and Evaluate

Controls - Testing Guidance

Page 46: All panelists

46

• Evaluation (expectations vs. results)• Frequency of testing• Who performs the test• Determination of “gaps”• Action plans• Identification of deficiency, significant

deficiency or material weakness• Retesting

Step 5: Test and Evaluate

Controls - Testing Guidance

Page 47: All panelists

47

Deficiency

SignificantDeficiency

Material Weakness

Control Activity /Technique

Multiple ControlActivities

COSO Financial Control

Objective not met

Page 48: All panelists

48

Control Objectives = COSO Financial Statement

Assertions1. Existence / Occurrence2. Completeness3. Measurement / Valuation4. Rights & Obligations Recorded5. Proper Classification & Disclosures6. Safeguarding of Assets7. Fraud Prevention / Detection

Page 49: All panelists

49

DeficiencyDeficiency

“Design gap” or “Operational gap”= Missing control (design)= Control objective not met (design)= Control not present (operational)= Control not operating as designed (operational)= Control cannot be confirmed (operational)= Inconsistent application (person performing

control not qualified) (operational)

Page 50: All panelists

50

Payroll ProcessPayroll ProcessControlObjective

Risk ControlActivity

Test Results

Completeness –allmaterialliabilitiesrecorded

All laborliabilitiesnotrecorded

Laboraccrual isbookedforunpaidtime

Accrual isautomaticbased onprior 2 wks

Overtime isNot accrued

New hiresout; exits in

Page 51: All panelists

51

Significant DeficiencySignificant Deficiency• Frequency of deficiencies noted• Errors in multiple controls tied to key

risk• More than one control activity contains

testing errors beyond expectations• Control objective key risks are mitigated

but only because one control activity has tested ok vs. all controls tied to the risk

Page 52: All panelists

52

Property AccountingProperty AccountingControlObjective

Risk ControlActivity

TestResults

Existenceof assets

Assetsnotrecorded

Purchaseordersissued bySC

BUpurchaseassets asexpense

Materialis chargedout ofwarehousebut notinstalled

Page 53: All panelists

53

Material WeaknessMaterial Weakness

• Key risks (HH) tied to control objective not mitigated

• Control objective cannot be achieved

• All controls designed to mitigate a risk have deficiencies

• Significant “material” transactions flow through the process ($10,000,000)

Page 54: All panelists

54

Process: Zai*net Deal Capture

Control Objective #2: Completeness of transactions

Key Risk #2.1: Transactions may be inaccurately recorded

Control Activity #2.1.4: Confirmation process used to ensure deals are captured & complete

Test: Select 30 transactions over test period; compare confirmsto Zai*net data (9 characteristics)

Account Mapping to Material Accounts = Processes

Expectation: all deals will be confirmed with all 9 characteristics matching

Page 55: All panelists

55

• Team meeting agendas & minutes• Assignments• Monthly report• Steering Committee meetings• Disclosure Committee meetings• Updates to Audit Committee• Updates to Senior Management (CEO, CFO,

President, Key VPs)• External Financial Audit Team

Step 6: 404 ReportingStep 6: 404 Reporting

Page 56: All panelists

56

1:00 - 1:10 Introduction and Overview - Jim Key

1:10 - 1:20 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison

1:20 - 1:40 Preparing the 404 Work Plan - Kiko Harvey & David Richards** Combined Presentation

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers – Panel

2:25 - 2:30 Concluding Remarks – Jim Key

AgendaAgenda

Page 57: All panelists

57

SummarySummary

• Interpretation of SEC Rules is subjective

• Check SEC website www.sec.gov regularly for regulatory actions

• Approach 404 management assessment of internal controls as major project

• Apply project management disciplines to ensure compliance

Page 58: All panelists

58

The IIA Webcast ModeratorThe IIA Webcast Moderator

Jim Key, CIA

Managing Partner

Shenandoah Group, L.L.P