Documenting testing controls l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 58

Documenting & Testing Controls PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on
  • Presentation posted in: General

Documenting & Testing Controls. The Institute of Internal Auditors 2004 Program on Sarbanes-Oxley January 13, 2004. Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation. Agenda. 1:00 - 1:05 Introduction & Overview- Dave Richards

Download Presentation

Documenting & Testing Controls

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Documenting testing controls l.jpg

Documenting & Testing Controls

The Institute of Internal Auditors2004 Program on Sarbanes-Oxley January 13, 2004

Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation


Agenda l.jpg

Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35Documentation & Testing -

Bruce Caplain

1:35 - 1:45Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50Break

1:50 - 2:25Questions & Answers - Panel

2:25 - 2:30Concluding Remarks - Dave Richards


Key documentation issues l.jpg

Key Documentation Issues

1. Approach

2. Processes

3. Risks

4. Controls

5. Design assessment

6. Key Controls to be tested


Key documentation issues4 l.jpg

Key Documentation Issues

7. Test plans

8. Test results

9. Identification of control

deficiencies

10. Corrective action plans

11. Re-testing

12. Assertion statements


Agenda5 l.jpg

Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35Documentation & Testing -

Bruce Caplain

1:35 - 1:45Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50Break

1:50 - 2:25Questions & Answers - Panel

2:25 - 2:30Concluding Remarks - Dave Richards


Process universe and documentation l.jpg

Process Universe and Documentation

Bob Biancalana, CIA, CPA, CISADirector of Internal Audit Services

Caremark Rx, Inc.


Process universe and documentation7 l.jpg

Define the 404 Process Universe

Documenting the 404 Processes

Process Universe and Documentation


Process universe and documentation8 l.jpg

Process Universe and Documentation

Define Correct “Auditable Process” Level

Identification of Total Process Universe

Define “Financial Reporting” Using COSO

Eliminate and Prioritize


Determining the boundaries l.jpg

Entity Wide

Bridge

Task/Procedure Level

Policies & Regulations

Key Processes & Internal Controls

Training Manuals

Determining the Boundaries

8


Determining the boundaries10 l.jpg

Determining the Boundaries

Caremark

Entity Wide Policies

  • Functional Units

    • Control Units

      • Auditable Processes

        • Sub-Processes

          • Tasks (Procedures)

SOX 302 Quarterly Internal Control Certifications

SOX 404 Documentation of Processes, Risks and Controls

Training Manuals


Eliminate and prioritize l.jpg

Eliminate and Prioritize


404 universe by coso category l.jpg

404 Universe by COSO Category


Process documentation l.jpg

Process Documentation

Facilitates risk identification and assessment

  • Begins with the end in mind

  • Focuses on quality concept of inputs, processing and outputs

  • Integrates operational, system and financial reporting flows


Process documentation14 l.jpg

ProcessDocumentation


Process documentation15 l.jpg

Process Documentation


Process documentation16 l.jpg

Process Documentation


Caat and gaap technique l.jpg

CAAT and GAAP Technique

  • For each data transfer point in our process map, we should consider the following causes of error:

    The data is…

    • Incomplete

    • Inaccurate

    • Unauthorized

    • Untimely

  • Also, for the data transfer point where data is input into the G/L, we should consider the risk that GAAP is not applied correctly.

  • CAAT


    Financial assertions l.jpg

    Financial Assertions

    Through utilization of the CAAT technique and a consideration of GAAP, we will identify the potential causes of errors related to the financial assertions:


    Key points l.jpg

    Key Points

    • Point of contention is definition of “financial reporting”

    • Go beyond ‘‘just compliance’’

    • Define and determine unique niche

    • Don’t create redundant documentation

    • Have long-range strategy


    Agenda20 l.jpg

    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50Break

    1:50 - 2:25Questions & Answers - Panel

    2:25 - 2:30Concluding Remarks - Dave Richards


    Design documentation evaluation l.jpg

    Design Documentation &Evaluation

    Lynn Fountain, CPA, MBA

    Sr. Manager Risk Assessment & Audit Services

    Aquila, Inc.


    Getting started l.jpg

    Getting Started

    • Tools

      • Information repository

      • Financial statement linkage

      • Ongoing attestation

    • Process classification scheme

      • Define business cycles

      • Define processes & sub-processes


    Cycles processes l.jpg

    Cycles/Processes


    Documentation requirements l.jpg

    Documentation Requirements


    Documentation requirements25 l.jpg

    Risk Matrix

    Identify relevant financial statement/reporting risks

    Identify operational or compliance risks that have key financial links

    Control Points

    Key Controls

    Ensures propriety and effective management of process

    Secondary Controls

    Support a key control

    Are supported by other controls in the process

    Documentation Requirements


    Risk control matrix l.jpg

    Risk Control Matrix

    ORGANIZATION : Corporate10.05.01 Accounts Payable

    Process Owner: John DoeProcess Effectiveness: Not Evaluated

    Accounts Applicable: 1000 Assets: 1110 Cash & Cash Equivalents: 1111 Cash, 2000 Liabilities: 2130 Accounts Payable:

    AssertionsEvaluation

    Access to Assets Effective

    AuthorizationNot Evaluated

    Completeness and AccuracyEffective

    Presentation and DisclosureEffective

    RisksDesignOperation

    Applications RiskEffectiveNot Effective

    FraudEffectiveEffective

    Payment AccountingIneffectiveNot Evaluated

    Payment AccuracyEffectiveEffective

    Payment AuthorizationIneffectiveNot Evaluated

    Vendor MaintenanceEffectiveEffective

    CONTROL LIST:

    Specific/Preventive/Manual

    A standard payment request form is utilized to ensure consistent information is conveyed when a payment is processed

    A/P provides Treasury with a copy of daily Detail Report in order to verify integrity and Completeness of the batch file uploaded to Integrity

    Monitoring/Detective/Manual

    Access to each page and function within People Soft is managed and setup by System

    Administration in order to limit user access as appropriate by need (KEY)

    Pervasive/Preventive/System

    Access to make changes (i.e. address, bank account, etc.) to a vendor is limited to the System Administrator (KEY)

     Any coding errors identified by the system are kicked out to a coding error queue where the image of the voucher is saved, and the voucher is put on “recycle”. A/P reviews this log daily to ensure timely resolution (KEY)


    Evaluating process design l.jpg

    Evaluating Process Design

    • Sequence of evaluation

      • Individual control design

        • Prevention/detection of material misstatement

      • Collective control design

        • Reasonable assurance “collective” controls reduce risks to an acceptable level

      • COSO elements

        • Process control environment, risk assessment & information/communication

      • Overall process design


    Work program design effectiveness l.jpg

    Work Program – Design Effectiveness


    Individual control considerations l.jpg

    Individual Control Considerations

    • Existence

    • Design

    • Attributes

      • Value of individual control

      • Placement of control in the process

      • Process efficiency

      • Experience of individuals executing the control

      • Preventive/Detective

      • System/Manual


    Collective control considerations l.jpg

    Collective Control Considerations

    • Primary vs. secondary

    • Detective vs. preventive

    • System vs. manual

    • Overall risk mitigation impact

    • Monitoring controls

    • Past control variances

    • Reporting of control practices


    Coso element considerations l.jpg

    COSO Element Considerations

    • Control Environment

      • Roles & Responsibilities

      • Policies & Practices

    • Risk Assessment

      • Existence of process objectives

      • Availability of resources

    • Information & Communication

      • Information Technology

      • Reporting and communication


    Overall process design l.jpg

    Overall Process Design

    • Final Considerations

      • Efficiency of individual controls

      • Risk mitigation impact of collective controls

      • Existence of process COSO elements

    • Effective

      • No significant design gaps noted in any sequence of analysis that may result in material misstatement

    • Ineffective

      • Potential design gaps may result in a material misstatement


    Agenda33 l.jpg

    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50Break

    1:50 - 2:25Questions & Answers - Panel

    2:25 - 2:30Concluding Remarks - Dave Richards


    Documentation testing l.jpg

    Documentation & Testing

    Bruce Caplain, CPADirector of Auditing

    John Hancock Financial Services, Inc.


    Documentation testing35 l.jpg

    Documentation & Testing

    • Precursors to testing

    • Communicating testing concepts

    • Performing the tests

    • Documentation your testing

    • Lessons learned


    Documentation testing36 l.jpg

    Documentation & Testing

    • Precursors to Testing:

      • Executive support

      • Knowledge of the Sarbanes process

      • Management owning the process

      • Well documented controls

      • Ramifications of non-compliance


    Documentation testing37 l.jpg

    Documentation & Testing

    • Communicating testing concepts

      • Teaching non-auditors to audit

        • Training, training, and more training

        • Tools, tools, and more tools

      • Evidence of control vs. testing controls


    Documentation testing38 l.jpg

    Documentation & Testing

    • Performing the tests:

      • What is the objective of your test?

      • Who should test?

      • Which controls should you test?

      • How detailed should your testing be?

      • How large is the sample size?

      • What period should it cover?


    Documentation testing39 l.jpg

    Documentation & Testing

    • Document your testing

      • Ideal vs. acceptable

      • System vs. manual

      • What needs to be evidenced

      • Testing documentation tool


    Documentation testing40 l.jpg

    Documentation & Testing

    • Lessons Learned

      • Standardization

      • Dry run attestation before due date

      • Training, training, training, training

      • Tools, tools, tools, tools

      • Follow up

      • Biggest key to success is executive support


    Agenda41 l.jpg

    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50Break

    1:50 - 2:25Questions & Answers - Panel

    2:25 - 2:30Concluding Remarks - Dave Richards


    Remediation when testing is done l.jpg

    Remediation – When Testing is Done

    Greg Neely, CIA

    Senior Director Operations ReviewSysco Corporation


    Remediation when testing is done43 l.jpg

    Remediation – When Testing is Done

    • Overview of the work completed thus far

      • Mapped out and identified the processes

      • Determined the materiality of each process

      • Completed testing the processes and the internal controls

    • Deal with the gaps and shortfalls


    Dealing with the gaps and shortfalls l.jpg

    Dealing with the Gaps and Shortfalls

    • Controls Fail

      • What is the materiality of the Control


    Slide45 l.jpg

    Dealing with the Gaps and Shortfalls

    Controls should have been rated a level of importance

    The control owner indicates if the test passed or failed


    Dealing with the gaps and shortfalls46 l.jpg

    Dealing with the Gaps and Shortfalls

    • Controls Fail

      • What is the materiality of the control

      • Are there compensating controls in place (If no compensating control, put the control in place and retest)

      • How does this affect other Sarbanes-Oxley Certifications (302)


    Dealing with the gaps and shortfalls47 l.jpg

    Dealing with the Gaps and Shortfalls

    • Missed a Process

      • Determine if the process and related controls are material

      • If material, document the process and related controls

      • Perform testing


    Dealing with the gaps and shortfalls48 l.jpg

    Dealing with the Gaps and Shortfalls

    • Acquisitions

      • Determine if the acquisition is material

      • Develop a standard template of processes and controls and provide this template to the acquired entity

      • Over test if needed


    Dealing with the gaps and shortfalls49 l.jpg

    Dealing with the Gaps and Shortfalls

    • Over testing the work performed

      • Does the testing need to be verified

      • Who performs the over test

      • When over testing identifies errors

      • How do you document over testing


    Dealing with the gaps and shortfalls50 l.jpg

    Dealing with the Gaps and Shortfalls

    Document over testing procedures and conclusions reached

    Attach a copy of the worksheet over tested so it cannot be altered


    Dealing with the gaps and shortfalls51 l.jpg

    Dealing with the Gaps and Shortfalls

    • Certification

      • Continue to monitor the processes

      • Document monitoring procedures for external audit verification

      • Determine if additional testing is necessary prior to certification

      • If the process or the control environment changes you will need to re-test


    Agenda52 l.jpg

    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50Break

    1:50 - 2:25Questions & Answers - Panel

    2:25 - 2:30Concluding Remarks - Dave Richards


    Agenda53 l.jpg

    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50Break

    1:50 - 2:25Questions & Answers - Panel

    2:25 - 2:30Concluding Remarks - Dave Richards


    Agenda54 l.jpg

    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50Break

    1:50 - 2:25Questions & Answers - Panel

    2:25 - 2:30Concluding Remarks - Dave Richards


    The institute of internal auditors 2004 program on sarbanes oxley l.jpg

    The Institute of Internal Auditors2004 Program on Sarbanes-Oxley

    • Jan 13 - Documenting & Testing Controls

    • Feb 10 - IT Control Identification & Testing

    • Mar 9 - Balancing SOA with Risk Based Audit Planning

    • April 13 - Strategies for Internal & External Relationships

    • May 11 - IA Role in Management’s Assertion

    • June 8 - Start of 2004 Webcast Program 2


    The institute of internal auditors 2004 program on sarbanes oxley56 l.jpg

    The Institute of Internal Auditors2004 Program on Sarbanes-Oxley

    • Pricing:

      • 10 sessions = $500

      • First 5 or second 5 = $300

      • Individual session = $75

      • CPE viewer credit = $15 [www.auditlearning.org]


    Conclusions l.jpg

    Conclusions

    • Documentation must be complete

    • Documentation must follow plan

    • Documentation must support conclusions

    • Documentation should cover all processes that support material accounts in Financial Statements

    • Corrective action documentation must enable testing prior to certification date


    Next webcast l.jpg

    Next Webcast

    February 10, 2004

    “IT Control Identification & Testing”

    See you at our next webcast!


  • Login