1 / 50

The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act. The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #6 – September 30, 2003. The IIA Webcast Moderator. Jim Key, CIA Managing Partner Shenandoah Group, L.L.P. Disclaimer.

emi-melendez
Download Presentation

The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #6 – September 30, 2003

  2. The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L.L.P

  3. Disclaimer The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.

  4. Series 2: Emerging Trends and Best Practices in Implementing SOA • May 21 - Section 404 Readiness Review: How to document your system of internal control. (Archived) • June 10 - Helping your audit committee implement complaint handling. (Archived) • July 8 - Leveraging the COSO framework to meet Section 404 requirements (Archived) • August 12 - Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules” (Archived) • September 9 - Internal Audit support of Audit Committees – What works best • September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

  5. Webcast Series on SOA Fostering Compliance with SOA: Internal Auditor’s Role • Four sessions archived on IIA’s website and available on CD • Originally aired January 28 – April 15, 2003

  6. IIA Online Training - New ! Conferences on Demand • IIA’s August’s ERM/CSA Conference 10 best sessions online for $199. • Stay current and earn CPEs • Visit http://www.theiia.org/iia/index.cfm?doc_id=4382for a list of the segments and additional information. • Or, contact rbrindley@theiia.org.

  7. Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key

  8. Internal Control Testing Strategy Patricia Scipio, CIA, CPAVice President, Auditing Wellchoice, Inc.

  9. Where is your company at in terms of 404 Readiness?

  10. When is your company planning to test the operating effectiveness of key controls?

  11. Key Initial Decisions • What controls will be tested? • How will each type of control be tested? • When will each control be tested? • How often should each control be tested? • Who will perform the testing?

  12. Testing Strategy Objectives • Standardize a methodology for testing the operating effectiveness • Develop proactive warning indicators to alert management of potential control failures • Monitor key processes by continuous scanning for adverse developments • Develop a turn key approach so business owners can easily perform testing as part of their routine

  13. Financial Reporting Control Objectives • Existence or Occurrence • Completeness • Rights and Obligations • Valuation or Allocations • Presentation and Disclosure

  14. Accountability Control Totals Double Verification Exception/Edit Reports Holding Files Independent Checks Interface Controls Key Performance Indicators Management Review Numerical Sequencing Periodic Reconciliation Pre-numbered Documents Proper Authorization Safeguard Assets Segregation of Duties System Configuration Transactions Recorded Basic Controls

  15. Means of Achieving Control • Organization – structured roles • Policies – principles and guidelines • Procedures – methods employed • Personnel – qualifications to perform the job • Accounting – financial control • Budgeting – expected results • Reporting – timely, accurate and meaningful

  16. Controls by Function or Type • Directive Controls • Preventive Controls • Detective Controls • Corrective Controls • Manual vs Automated Controls • Hard vs Soft Controls

  17. Testing Procedures • Inquiry • Observation • Inspection of Physical Evidence • Re-performance

  18. Factors in Designing Testing Strategy • Nature of control & significance in achieving objective • One control supporting more than one objective • Significant changes in volume or nature of transactions • Changes in the design of the control • Degree to which control relies on effectiveness of other controls

  19. Factors in Designing Testing Strategy (continued) • Complexity of the Control • Manual vs. Automated Control • Existence of Self-assessment Programs • Entity wide Control • Frequency of Control • Timing of Test of Controls • Changes in key personnel who perform or monitor the control

  20. Summary • Several factors must be considered in determining the nature, timing and extent of testing • Management should monitor the quality and performance of the system of internal control over time • To the extent possible, internal controls should be structured to be self-monitoring and self-correcting

  21. Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key

  22. Fitting Into the Bigger Picture Kimberly Gavaletz VP, Internal Audit Lockheed Martin Corporation

  23. Components • Framework • Quality • Keeping It Fresh Internal Audit’s Obligation & Opportunity

  24. Framework • II. Discussion of Amendments Implementing Section 404 • 1.B.3 Final Rules …a company’s annual report to include and internal control report of management that contains… • Astatement identifying the frameworkused by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting; • 1.B.3.A Evaluation of Internal Control over Financial Reporting • …Management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable,recognized control frameworkthat is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria and may be used as an evaluation framework…However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute… June 5, 2003 SEC Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports

  25. COSO Big Picture Embodied in the Framework Other Frameworks: Guidance on Assessing Control, Turnbull Report, “Future Developments”

  26. Framework: Ownership Objectives Risks Controls Monitoring Control Environment & Information/Communications Management Owns Internal Audit Performs Independent Assessments/Audits Key: Management Ownership

  27. Framework: Scope Today’s Emphasis Disclosure Controls-302 Internal Controls-404 Integrity of Financial Reporting Big Picture Business Objectives - Financial - Technical Delivery - Compliance Performance with Integrity

  28. Quality • Who Decides Quality of Controls? • Who Decides Level of Consistency Needed? Balance of Controls ReactivegProactivegPreventive

  29. Quality: Internal Audit • Start: Serve as a Facilitator/Partner across Management and External Auditors – Start the Dialog – Determine the Roles • Options/Steps: – Independently Assess Existing Quality Assurance Structure – Advise Management on the Need and Scope of a Quality Assurance System – If Necessary, “Gap Fill” as the Quality Assurance Function

  30. Keeping It Fresh • Keep it Fresh • Continuous Improvement • Ongoing Involvement • Utilize Evolving Technology Advise Management Attest Internal Audit System of InternalControls Assess & Opine External Audit

  31. Summary • Focus on the Big Picture • Framework-Scope-Ownership • Focus on Quality • Ownership • Detection & Prevention • Keep it Fresh • Continuous Improvement-Involvement

  32. Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key

  33. COSO’s ERM Framework:The Shape of Things to Come Paul J. Sobel Vice President, Internal Audit Mirant Corporation

  34. OPERATIONS REPORTING COMPLIANCE STRATEGIC Internal Environment Objective Setting SUBSIDIARY Event Identification BUSINESS UNIT DIVISION Risk Assessment ENTITY - LEVEL Risk Response Control Activities Information and Communication Monitoring The New COSO Cube

  35. Internal Environment • Today- An Integral Part of Sarbanes-Oxley 404 • Integrity and ethical values • Control consciousness and operating style • Commitment to competence • Board/Audit Committee participation in governance • Tomorrow - Embracing Risk • Risk management philosophy • Risk culture • Risk appetite Internal Environment

  36. Objective Setting • Today - Financial Statement Assertions • Access to assets • Authorization • Completeness and accuracy • Existence and occurrence • Presentation, classification and disclosure • Rights and obligations • Valuation or allocation • Tomorrow - Business Objectives • Beyond financial objectives • Formalized risk tolerance levels Objective Setting

  37. Event Identification • Today - An Ad Hoc Part of Risk Assessment • Generic risk universes • Standard risks and definitions • Few scenarios considered • Tomorrow - Formal Identification and Analysis • Answer the questions “What can go wrong?” and “What needs to go right?” • Understand events/scenarios (worse case, most likely, etc.) • Consider interdependencies (domino effect)1000 Event Identification

  38. Risk Assessment • Today - Becoming common, but somewhat Superficial • Tends to be pretty broad • May only be done in silos • Minimal support for judgments • One-time event • Tomorrow - A Robust, Ongoing Activity • Integrated with strategic planning • Inherent and residual risk considered • Enterprise-wide Risk Assessment

  39. Risk Response • Today - Individual Judgments • Based on past experience and instinct • Typically focuses on a single response • Little consideration to portfolio effect • Tomorrow - Portfolio Approach • Identify and evaluate range of possible responses • Consider enterprise-wide responses • A formal process Risk Response

  40. Control Activities • Today - Ensuring Adequate Control • General and application/specific controls • Preventative and detective controls • Automated and manual controls • Routine and non-routine controls • Tomorrow - Ensuring Objective Achievement • Integrated with risk response • Focuses on strategic, operational, financial and compliance objectives Control Activities

  41. Information & Communication and Monitoring Information and Communication Monitoring • Today - Financial Reporting and Compliance • Supports financial judgments • Blend of internal and external information • Multi-directional communications • Monitor degree of success • Tomorrow - Strategic and Operations • All of the above for all objectives • Integrated monitoring system

  42. What Does it Mean for Internal Auditors? • Transition to a Risk Management-Based Internal Audit Approach • Internal Environment - Expand focus to include risk philosophy, risk culture and risk appetite • Objective Setting - Obtain understanding of objectives; determine risk tolerance levels • Event Identification - Imbed in annual and process level risk assessments • Risk Assessment - Lead or facilitate a robust, ongoing, enterprise-wide process

  43. What Does it Mean for Internal Auditors? • Transition to a Risk Management-Based Internal Audit Approach (continued) • Risk Response - Facilitate identification of possible responses; bring process orientation • Control Activities - Link controls back to objectives;ensure integration with risk response • Information and Communication - Evaluate as a part of every audit (make a separate risk) • Monitoring - Recommend ways to enhance in every process

  44. REPORTING COMPLIANCE OPERATIONS STRATEGIC Internal Environment Objective Setting SUBSIDIARY Event Identification BUSINESS UNIT DIVISION Risk Assessment ENTITY - LEVEL Risk Response Control Activities Information and Communication Monitoring Summary - The COSO Evolution Control Activities • 1992 - Groundwork laid, but not focused for most companies • 2002 - Sarbanes-Oxley brought internal control to the forefront • 2004+ - True ERM begins to take shape

  45. Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key

  46. Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key

  47. Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key

  48. Webcast Summary • It is essential to be intentional about planning your testing strategy • Focusing on quality and continuous improvement will leverage your control framework for better results • COSO ERM framework provides an opportunity for Internal Audit to help organizations meet strategic goals

  49. Future Webcasts • Webcast Steering Committee • Survey - Input

  50. Thank you for your participation! Your Comments/Feedback are very important – please complete the evaluation form and redeem a discount on an Online Training product. Email agoodman@theiia.org for more details!

More Related