documenting testing controls
Download
Skip this Video
Download Presentation
Documenting & Testing Controls

Loading in 2 Seconds...

play fullscreen
1 / 58

Documenting Testing Controls - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

Documenting & Testing Controls. The Institute of Internal Auditors 2004 Program on Sarbanes-Oxley January 13, 2004. Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation. Agenda. 1:00 - 1:05 Introduction & Overview- Dave Richards

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Documenting Testing Controls' - helene


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
documenting testing controls

Documenting & Testing Controls

The Institute of Internal Auditors2004 Program on Sarbanes-Oxley January 13, 2004

Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation

agenda
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

key documentation issues
Key Documentation Issues

1. Approach

2. Processes

3. Risks

4. Controls

5. Design assessment

6. Key Controls to be tested

key documentation issues4
Key Documentation Issues

7. Test plans

8. Test results

9. Identification of control

deficiencies

10. Corrective action plans

11. Re-testing

12. Assertion statements

agenda5
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

process universe and documentation

Process Universe and Documentation

Bob Biancalana, CIA, CPA, CISADirector of Internal Audit Services

Caremark Rx, Inc.

process universe and documentation8
Process Universe and Documentation

Define Correct “Auditable Process” Level

Identification of Total Process Universe

Define “Financial Reporting” Using COSO

Eliminate and Prioritize

determining the boundaries

Entity Wide

Bridge

Task/Procedure Level

Policies & Regulations

Key Processes & Internal Controls

Training Manuals

Determining the Boundaries

8

determining the boundaries10
Determining the Boundaries

Caremark

Entity Wide Policies

  • Functional Units
    • Control Units
      • Auditable Processes
        • Sub-Processes
          • Tasks (Procedures)

SOX 302 Quarterly Internal Control Certifications

SOX 404 Documentation of Processes, Risks and Controls

Training Manuals

process documentation
Process Documentation

Facilitates risk identification and assessment

  • Begins with the end in mind
  • Focuses on quality concept of inputs, processing and outputs
  • Integrates operational, system and financial reporting flows
caat and gaap technique
CAAT and GAAP Technique
  • For each data transfer point in our process map, we should consider the following causes of error:

The data is…

        • Incomplete
        • Inaccurate
        • Unauthorized
        • Untimely
  • Also, for the data transfer point where data is input into the G/L, we should consider the risk that GAAP is not applied correctly.

CAAT

financial assertions
Financial Assertions

Through utilization of the CAAT technique and a consideration of GAAP, we will identify the potential causes of errors related to the financial assertions:

key points
Key Points
  • Point of contention is definition of “financial reporting”
  • Go beyond ‘‘just compliance’’
  • Define and determine unique niche
  • Don’t create redundant documentation
  • Have long-range strategy
agenda20
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

design documentation evaluation

Design Documentation &Evaluation

Lynn Fountain, CPA, MBA

Sr. Manager Risk Assessment & Audit Services

Aquila, Inc.

getting started
Getting Started
  • Tools
    • Information repository
    • Financial statement linkage
    • Ongoing attestation
  • Process classification scheme
    • Define business cycles
    • Define processes & sub-processes
documentation requirements25
Risk Matrix

Identify relevant financial statement/reporting risks

Identify operational or compliance risks that have key financial links

Control Points

Key Controls

Ensures propriety and effective management of process

Secondary Controls

Support a key control

Are supported by other controls in the process

Documentation Requirements
risk control matrix
Risk Control Matrix

ORGANIZATION : Corporate 10.05.01 Accounts Payable

Process Owner: John Doe Process Effectiveness: Not Evaluated

Accounts Applicable: 1000 Assets: 1110 Cash & Cash Equivalents: 1111 Cash, 2000 Liabilities: 2130 Accounts Payable:

Assertions Evaluation

Access to Assets Effective

Authorization Not Evaluated

Completeness and Accuracy Effective

Presentation and Disclosure Effective

Risks Design Operation

Applications Risk Effective Not Effective

Fraud Effective Effective

Payment Accounting Ineffective Not Evaluated

Payment Accuracy Effective Effective

Payment Authorization Ineffective Not Evaluated

Vendor Maintenance Effective Effective

CONTROL LIST:

Specific/Preventive/Manual

A standard payment request form is utilized to ensure consistent information is conveyed when a payment is processed

A/P provides Treasury with a copy of daily Detail Report in order to verify integrity and Completeness of the batch file uploaded to Integrity

Monitoring/Detective/Manual

Access to each page and function within People Soft is managed and setup by System

Administration in order to limit user access as appropriate by need (KEY)

Pervasive/Preventive/System

Access to make changes (i.e. address, bank account, etc.) to a vendor is limited to the System Administrator (KEY)

 Any coding errors identified by the system are kicked out to a coding error queue where the image of the voucher is saved, and the voucher is put on “recycle”. A/P reviews this log daily to ensure timely resolution (KEY)

evaluating process design
Evaluating Process Design
  • Sequence of evaluation
    • Individual control design
      • Prevention/detection of material misstatement
    • Collective control design
      • Reasonable assurance “collective” controls reduce risks to an acceptable level
    • COSO elements
      • Process control environment, risk assessment & information/communication
    • Overall process design
individual control considerations
Individual Control Considerations
  • Existence
  • Design
  • Attributes
    • Value of individual control
    • Placement of control in the process
    • Process efficiency
    • Experience of individuals executing the control
    • Preventive/Detective
    • System/Manual
collective control considerations
Collective Control Considerations
  • Primary vs. secondary
  • Detective vs. preventive
  • System vs. manual
  • Overall risk mitigation impact
  • Monitoring controls
  • Past control variances
  • Reporting of control practices
coso element considerations
COSO Element Considerations
  • Control Environment
    • Roles & Responsibilities
    • Policies & Practices
  • Risk Assessment
    • Existence of process objectives
    • Availability of resources
  • Information & Communication
    • Information Technology
    • Reporting and communication
overall process design
Overall Process Design
  • Final Considerations
    • Efficiency of individual controls
    • Risk mitigation impact of collective controls
    • Existence of process COSO elements
  • Effective
    • No significant design gaps noted in any sequence of analysis that may result in material misstatement
  • Ineffective
    • Potential design gaps may result in a material misstatement
agenda33
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

documentation testing

Documentation & Testing

Bruce Caplain, CPADirector of Auditing

John Hancock Financial Services, Inc.

documentation testing35
Documentation & Testing
  • Precursors to testing
  • Communicating testing concepts
  • Performing the tests
  • Documentation your testing
  • Lessons learned
documentation testing36
Documentation & Testing
  • Precursors to Testing:
    • Executive support
    • Knowledge of the Sarbanes process
    • Management owning the process
    • Well documented controls
    • Ramifications of non-compliance
documentation testing37
Documentation & Testing
  • Communicating testing concepts
    • Teaching non-auditors to audit
      • Training, training, and more training
      • Tools, tools, and more tools
    • Evidence of control vs. testing controls
documentation testing38
Documentation & Testing
  • Performing the tests:
    • What is the objective of your test?
    • Who should test?
    • Which controls should you test?
    • How detailed should your testing be?
    • How large is the sample size?
    • What period should it cover?
documentation testing39
Documentation & Testing
  • Document your testing
    • Ideal vs. acceptable
    • System vs. manual
    • What needs to be evidenced
    • Testing documentation tool
documentation testing40
Documentation & Testing
  • Lessons Learned
    • Standardization
    • Dry run attestation before due date
    • Training, training, training, training
    • Tools, tools, tools, tools
    • Follow up
    • Biggest key to success is executive support
agenda41
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

remediation when testing is done

Remediation – When Testing is Done

Greg Neely, CIA

Senior Director Operations ReviewSysco Corporation

remediation when testing is done43
Remediation – When Testing is Done
  • Overview of the work completed thus far
    • Mapped out and identified the processes
    • Determined the materiality of each process
    • Completed testing the processes and the internal controls
  • Deal with the gaps and shortfalls
dealing with the gaps and shortfalls
Dealing with the Gaps and Shortfalls
  • Controls Fail
    • What is the materiality of the Control
slide45

Dealing with the Gaps and Shortfalls

Controls should have been rated a level of importance

The control owner indicates if the test passed or failed

dealing with the gaps and shortfalls46
Dealing with the Gaps and Shortfalls
  • Controls Fail
    • What is the materiality of the control
    • Are there compensating controls in place (If no compensating control, put the control in place and retest)
    • How does this affect other Sarbanes-Oxley Certifications (302)
dealing with the gaps and shortfalls47
Dealing with the Gaps and Shortfalls
  • Missed a Process
    • Determine if the process and related controls are material
    • If material, document the process and related controls
    • Perform testing
dealing with the gaps and shortfalls48
Dealing with the Gaps and Shortfalls
  • Acquisitions
    • Determine if the acquisition is material
    • Develop a standard template of processes and controls and provide this template to the acquired entity
    • Over test if needed
dealing with the gaps and shortfalls49
Dealing with the Gaps and Shortfalls
  • Over testing the work performed
    • Does the testing need to be verified
    • Who performs the over test
    • When over testing identifies errors
    • How do you document over testing
dealing with the gaps and shortfalls50
Dealing with the Gaps and Shortfalls

Document over testing procedures and conclusions reached

Attach a copy of the worksheet over tested so it cannot be altered

dealing with the gaps and shortfalls51
Dealing with the Gaps and Shortfalls
  • Certification
    • Continue to monitor the processes
    • Document monitoring procedures for external audit verification
    • Determine if additional testing is necessary prior to certification
    • If the process or the control environment changes you will need to re-test
agenda52
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

agenda53
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

agenda54
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards

the institute of internal auditors 2004 program on sarbanes oxley
The Institute of Internal Auditors2004 Program on Sarbanes-Oxley
  • Jan 13 - Documenting & Testing Controls
  • Feb 10 - IT Control Identification & Testing
  • Mar 9 - Balancing SOA with Risk Based Audit Planning
  • April 13 - Strategies for Internal & External Relationships
  • May 11 - IA Role in Management’s Assertion
  • June 8 - Start of 2004 Webcast Program 2
the institute of internal auditors 2004 program on sarbanes oxley56
The Institute of Internal Auditors2004 Program on Sarbanes-Oxley
  • Pricing:
    • 10 sessions = $500
    • First 5 or second 5 = $300
    • Individual session = $75
    • CPE viewer credit = $15 [www.auditlearning.org]
conclusions
Conclusions
  • Documentation must be complete
  • Documentation must follow plan
  • Documentation must support conclusions
  • Documentation should cover all processes that support material accounts in Financial Statements
  • Corrective action documentation must enable testing prior to certification date
next webcast
Next Webcast

February 10, 2004

“IT Control Identification & Testing”

See you at our next webcast!

ad