Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
description
Transcript of Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement:A Financial Reporting Risk Management ModelPresented by:John A. Wheeler - Senior Vice President, Financial Reporting Risk ManagementDan Shaughnessy – Partner, KPMG LLP
May 2006
1
Discussion Agenda
1. A quick review of SunTrust's journey through two years of Sarbanes Oxley Compliance. Lessons learned from year one and best practices achieved in year two.
2. Sustainable compliance: How SunTrust has leveraged a diverse team and technology to create a sustainable process for effective compliance.
3. Future vision: How SunTrust and others can leverage SOX compliance activities into other initiatives.
2
About SunTrust
• 9th largest U.S. commercial bank based on total revenue
• Headquartered in Atlanta, Georgia
• As of December 31, 2005, total assets of $179 billion
• Footprint: Alabama, Arkansas, Florida, Georgia, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Virginia, West Virginia, District of Columbia
• Employees: more than 33,000
3
First Year Program Implementation Challenges
• Interpreting guidance from PCAOB– Definition of testing– Role definition (External Audit vs. Internal Audit)– Amount of reliance placed on Internal Audit
• Narrowing scope on key financial controls while not minimizing importance of operational or “non-key” controls
• Overcoming fatigue from 2003 “dry-run” and re-scoping effort
• Refining materiality definition / criteria and streamlining reporting process
• Coordinating efforts within the lines of business to minimize disruption to business operations
4
Lessons Learned
• Carefully manage scope
• Improve coordination with external auditor
• Foster business unit ownership of processes and compliance
• Build quality assurance into process
• Plan early and communicate often
• Devote more time to training
• Shift control testing activities to skilled resources to– increase quality – minimize disruption to business activities
• Automate to facilitate documentation, deficiency tracking and communication among the various stakeholders (i.e. Executive Management, Business Unit Management, Internal Audit, External Audit, etc.)
5
What is Sustained Compliance?
• Sustained Compliance means building a better, more embedded, compliance “infrastructure” based on the elements of the control environment.
• Sustained Compliance implies embedding the spirit of Ethics and Integrity and the process of Compliance into the organization’s way of doing business. Sustaining compliance becomes the “platform” for continuous improvement.
Design and implement “infrastructure”required to SUSTAIN it
Focus first-year efforts to FULLY COMPLY
Identify/implement changes to IMPROVE ongoing performance
Achieving this implies:
• Success is not sustained by “heroic” exertion
• Establishing a compliance program leading to a control environment/culture, not episodic compliance projects
• Assessing and addressing risk is a competence defined for all roles
• Establishing an ethical culture that guides behavior at all levels
6
2005 Sarbanes-Oxley Program Strategic Decisions
• Established Financial Reporting Risk Management Group with skilled resources to facilitate and oversee compliance program for SOX 302 & 404
• Assigned responsibility for performing management testing of keyfinancial reporting controls to Audit Services
• Leveraged LOB / Function Risk Management infrastructure to maintain required control documentation and execute remediation action plans
• Implemented a software solution to facilitate SOX documentation and reporting
• Evolved SOX 404 Implementation Steering Committee to a permanent Financial Reporting Risk Committee reporting to the Disclosure Committee
7
2005 Sarbanes-Oxley Program Timeline
1) 2004 Wrap-up / Transition
2) Program Mgt. & Scope
3) Documentation & Assessment
4) Test & Evaluate Effectiveness
5) Deficiency Remediation
6) SOX Section 302 Monitoring / Certification
7) Automation
Q1 Q2 Q3 Q4404 Report
FSRA
Y/E UpdateControl Testing
2005 Remediation
Implementation Ongoing Management
Maintain & Assess
Program Oversight & Update FSRA
= Quarterly Disclosure Review & CEO/CFO Certification
2004 Follow-up
Update
8
2005 Sarbanes-Oxley Program Structure
Disclosure CommitteeDisclosure Committee
Audit CommitteeAudit CommitteeCEO / CFOCEO / CFO
Financial ReportingControl Committee
Financial ReportingControl Committee
Financial Reporting Risk ManagementFinancial Reporting Risk Management
ExternalAudit / InternalAudit
ExternalAudit / InternalAudit
Line of Business / Function
Heads
Line of Business / Function
Heads
Line of Business / Function Risk Managers & Process OwnersLine of Business / Function Risk Managers & Process Owners
9
FRRM Organizational Structure
Financial Reporting Risk ManagementSenior Risk Officer
Program Management Risk Assessment /Financial Analysis
Documentation & Assessment
Deficiency Remediation& Classification
Administration
• Testing Result Monitoring• Deficiency Tracking /
Reporting• Deficiency Classification• Remediation Action Plan
Monitoring• Section 302 Monitoring /
Certification
• Risk Assessment Methodology
• Financial StatementAnalysis / Scope
• Section 302 Control Change Impact Analysis
• Control Deficiency ImpactAnalysis
Line of Business / Function Risk Management
Test & Evaluate O
perating Effectiveness –Internal A
udit
• Project Management• Organization & Communication
• Issue Management / Escalation
• Transition / Change Management
• System Implementation• Software / Database
Administration• Reporting
• Entity-wide ControlAssessment
• Financial Cycle / Control Documentation
• IT General ControlDocumentation
• External Service Provider /SAS 70 Review
Responsibilities
10
Financial Statement Risk Assessment & Scoping
• Perform initial Financial Statement Risk Assessment (FSRA) basedon 2004 year-end financials
• Use quantitative and qualitative measures to determine significant accounts
• Define significant cycles and processes
• Communicate scope changes to risk managers
• Re-perform FSRA quarterly
11
Scoping and Planning Materiality
2005 Planning Materiality Matrix
Materiality High Risk Lower Risk
Overall Materiality 5% of pre-tax income 5% of pre-tax income
Reduction/haircut 50% 25%
SunTrust Planning Materiality
Planning Materiality 2.5% of pre-tax income
3.75% of pre-tax income
Account Totals Balance Sheet178 Accounts
Income Statement48 Accounts
3% of pre-tax income
($85 Million)
12
Documentation and Assessment - Key Concepts
• Standardization of documentation– COBIT used as framework for ITGC documentation– Third Party Service Provider – standard evaluation template
• Engagement of external consultants to assist
• Ownership by Lines of Business key to success
• Risk Manager and Line of Business Head Sign-off required at end of documentation phase
• Documentation to be reviewed and updated quarterly
13
2005 Deficiency Classification Process
• Major Phases
Deficiency Identification
DeficiencyClassification
Management Reporting
Deficiency Escalation of & Approval by FRC Committee
Evaluate results from Internal Audit,
External Audit and Regulatory Agencies
Evaluate qualitative and quantitative
factors with assistance of Risk
Manager and develop recommended classification
Escalation of deficiencies to
Financial Reporting Control (FRC)
Committee and Disclosure Committee
(as needed)
Report to FRC Committee,
Disclosure Committee and Audit Committee
(as needed)
…management must exercise judgment in a reasonable manner in the evaluation of deficiencies in internal control over financial reporting, and such evaluations may appropriately consider both qualitative and quantitative analyses.” Commission Statement on Implementation of Internal Control Reporting Requirements 2005-74 (SEC, May 16, 2005)
14
2005 Deficiency Classification Criteria
Financial Reporting Risk Management will use the following Deficiency Classification Criteria agreed upon by the FRC Committee
Classification of Financial Reporting Control Deficiency
Likelihood of Misstatement
Potential Magnitude of Income Statement
Misstatement *
Potential Magnitude of Balance Sheet Misstatement*
Internal Control Deficiency
Either remote or less than a 10% chance
Inconsequential Less than 1/2% of pre-tax
income (approx. $14 million)
More than InconsequentialGreater than 1/2% of pre-tax
income(approx. $14 million)
MaterialGreater than 5% of pre-tax
income(approx. $141 million)
Inconsequential Less than 1/2% of total equity
(approx. $80 million)
Significant Deficiency
More than remote and more than a 10%
chance
More than InconsequentialGreater than 1/2% of total
equity (approx. $80 million)
Material Weakness More than remote and more than a 10%
chance
MaterialGreater than 5% of total equity
(approx. $800 million)
* Consideration will be given to the impact of known and/or potential misstatements on annual and interim financial statements.
15
Sarbanes-Oxley Compliance Software Selection
Users:• Financial Reporting Risk
Management• Risk Managers• Process Owners• Internal Audit• Executive Management• External Audit
• Considerations:• Controls repository• Documentation repository• Test results• Certification• Workflow• Security• Audit trails• Reporting
Leading Vendors:
• OpenPages • Certus
• Paisley Consulting • Handysoft
• IBM • Stellent
16
2006 and Beyond – Continuous Improvement
• Entity-wide assessment – timely execution
• Risk assessment to minimize testing
• Interpreting guidance from PCAOB & SEC
• Continuous enhancement of end-user computing controls
• Leveraging knowledge of controls and optimizing control portfolio to bring value
• Ongoing management of external audit relationship – strengthen communication
• Embedding efforts within the lines of business to foster accountability and ownership of risks
2004
2005
2006+
17
Sustainability
Rationalizationn
Compliance
Optimization
Bus
ines
s B
enef
it
The pendulum has moved from Performance-focused to Control-focused as market and regulatory drivers have changed in the last 5 years.
Regarding SOX, most companies started with a compliancy focus and have entered into sustainability. Some are finding it difficult to move into rationalization.
PerformancePerformanceFocused
PerformanceBiased
ControlControlFocusedFocused
ControlBiased
PerformanceAnd ControlOptimized
Business Improvement
Ris
k / C
ontr
ols
Impr
ovem
ent
Ris
k / C
ontr
ols
Impr
ovem
ent
Late 1990’s
2006 and2006 andBeyondBeyond
Y2K
S-O 404
TodayToday
How Did the Marketplace Get Here?How Did the Marketplace Get Here?Transformationn
Time
18
Analysis of Control Data
All Processes
One Process
19
Sample Reporting: Opportunity Analysis
Based on Current Control Data
Significant Opportunity
20
Sample Reporting - Summary of Control
Transformation/Elimination Opportunities
Opportunity Area RevenueFinancial
CloseCorporate Processes ITGC
Automate Controls: Lowers cost, improve effectiveness, and simplify on-going testing of controls
Transform Controls from Detective to Preventive: Shifts the focus to preventing errors and improving decision information
Lower Frequency of Controls: Ensuring the appropriate number of times a control needs to be performed will ensure efficiency.
Lower Data Error & Rework Rates: Improves cycle time, quality of information, reduces costs and reduces risk.
Improve Staffing Conditions: Enhances employee performance resulting in improved effectiveness and efficiency reducing overall cost
Insignificant Controls (That are currently marked as significant): Controls that were tested in 2004 that are no longer deemed significant.
Overall Opportunity: Prioritization around resource allocation to take advantage of improvements
Greatest Opportunity Exists, Apply Resources Baseline Resources are SufficientAnalysis Needed to Determine Resource Allocation
21
Driving Efficiencies: Cost Reduction Factors
Life Cycle Cost Reduction Approach
Limit the number of in-scope processes and locations based on account characteristics.
Identify key controls to test, and streamlining of processes and controls across multiple locations / divisions. Fewer documents will result in fewer external auditor walkthroughs.
Limit testing to critical plants based on key control selection scoping definitions, a sample across plants or division where possible.
Prioritized remediation based on risk to financials.
Higher reliance on management’s testing, and limited to testing subset of management’s controls.
Less rework and better definitions of evidentiary requirements.
More efficient management of tasks, timeliness, and deliverables.
Scope & Plan
Documentation
Testing
Remediation
External Audit
Process Owner
PMO
22
Keys to Building a Sustainable Model
Formalize the compliance and governance structureClearly define roles and responsibilitiesIdentify and actively seek needed skills and competenciesInvest in training programs that are portable and easy to maintainUnderstand and optimize your controls portfolioStandardize documentation across the companyIntegrate Section 302 and 404 – financial reporting and internal control certificationsImplement a top-down, risk-based scoping approachAutomate the compliance process as well as controlsAlign key stakeholders’ performance goals/incentives with compliance program objectivesCommunicate, communicate, communicate