Documenting testing controls
Download
1 / 58

Documenting Testing Controls - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

Documenting & Testing Controls. The Institute of Internal Auditors 2004 Program on Sarbanes-Oxley January 13, 2004. Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation. Agenda. 1:00 - 1:05 Introduction & Overview- Dave Richards

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Documenting Testing Controls' - helene


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Documenting testing controls l.jpg

Documenting & Testing Controls

The Institute of Internal Auditors2004 Program on Sarbanes-Oxley January 13, 2004

Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation


Agenda l.jpg
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards


Key documentation issues l.jpg
Key Documentation Issues

1. Approach

2. Processes

3. Risks

4. Controls

5. Design assessment

6. Key Controls to be tested


Key documentation issues4 l.jpg
Key Documentation Issues

7. Test plans

8. Test results

9. Identification of control

deficiencies

10. Corrective action plans

11. Re-testing

12. Assertion statements


Agenda5 l.jpg
Agenda

1:00 - 1:05 Introduction & Overview-

Dave Richards

1:05 - 1:15 Process Universe & Documentation -

Bob Biancalana

1:15 - 1:25 Design Documentation & Evaluation -

Lynn Fountain

1:25 – 1:35 Documentation & Testing -

Bruce Caplain

1:35 - 1:45 Remediation – When Testing is Done -

Greg Neely

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers - Panel

2:25 - 2:30 Concluding Remarks - Dave Richards


Process universe and documentation l.jpg

Process Universe and Documentation

Bob Biancalana, CIA, CPA, CISADirector of Internal Audit Services

Caremark Rx, Inc.


Process universe and documentation7 l.jpg

Define the 404 Process Universe

Documenting the 404 Processes

Process Universe and Documentation


Process universe and documentation8 l.jpg
Process Universe and Documentation

Define Correct “Auditable Process” Level

Identification of Total Process Universe

Define “Financial Reporting” Using COSO

Eliminate and Prioritize


Determining the boundaries l.jpg

Entity Wide

Bridge

Task/Procedure Level

Policies & Regulations

Key Processes & Internal Controls

Training Manuals

Determining the Boundaries

8


Determining the boundaries10 l.jpg
Determining the Boundaries

Caremark

Entity Wide Policies

  • Functional Units

    • Control Units

      • Auditable Processes

        • Sub-Processes

          • Tasks (Procedures)

SOX 302 Quarterly Internal Control Certifications

SOX 404 Documentation of Processes, Risks and Controls

Training Manuals




Process documentation l.jpg
Process Documentation

Facilitates risk identification and assessment

  • Begins with the end in mind

  • Focuses on quality concept of inputs, processing and outputs

  • Integrates operational, system and financial reporting flows


Process documentation14 l.jpg
ProcessDocumentation




Caat and gaap technique l.jpg
CAAT and GAAP Technique

  • For each data transfer point in our process map, we should consider the following causes of error:

    The data is…

    • Incomplete

    • Inaccurate

    • Unauthorized

    • Untimely

  • Also, for the data transfer point where data is input into the G/L, we should consider the risk that GAAP is not applied correctly.

  • CAAT


    Financial assertions l.jpg
    Financial Assertions

    Through utilization of the CAAT technique and a consideration of GAAP, we will identify the potential causes of errors related to the financial assertions:


    Key points l.jpg
    Key Points

    • Point of contention is definition of “financial reporting”

    • Go beyond ‘‘just compliance’’

    • Define and determine unique niche

    • Don’t create redundant documentation

    • Have long-range strategy


    Agenda20 l.jpg
    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15 Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25 Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35 Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45 Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50 Break

    1:50 - 2:25 Questions & Answers - Panel

    2:25 - 2:30 Concluding Remarks - Dave Richards


    Design documentation evaluation l.jpg

    Design Documentation &Evaluation

    Lynn Fountain, CPA, MBA

    Sr. Manager Risk Assessment & Audit Services

    Aquila, Inc.


    Getting started l.jpg
    Getting Started

    • Tools

      • Information repository

      • Financial statement linkage

      • Ongoing attestation

    • Process classification scheme

      • Define business cycles

      • Define processes & sub-processes




    Documentation requirements25 l.jpg

    Risk Matrix

    Identify relevant financial statement/reporting risks

    Identify operational or compliance risks that have key financial links

    Control Points

    Key Controls

    Ensures propriety and effective management of process

    Secondary Controls

    Support a key control

    Are supported by other controls in the process

    Documentation Requirements


    Risk control matrix l.jpg
    Risk Control Matrix

    ORGANIZATION : Corporate 10.05.01 Accounts Payable

    Process Owner: John Doe Process Effectiveness: Not Evaluated

    Accounts Applicable: 1000 Assets: 1110 Cash & Cash Equivalents: 1111 Cash, 2000 Liabilities: 2130 Accounts Payable:

    Assertions Evaluation

    Access to Assets Effective

    Authorization Not Evaluated

    Completeness and Accuracy Effective

    Presentation and Disclosure Effective

    Risks Design Operation

    Applications Risk Effective Not Effective

    Fraud Effective Effective

    Payment Accounting Ineffective Not Evaluated

    Payment Accuracy Effective Effective

    Payment Authorization Ineffective Not Evaluated

    Vendor Maintenance Effective Effective

    CONTROL LIST:

    Specific/Preventive/Manual

    A standard payment request form is utilized to ensure consistent information is conveyed when a payment is processed

    A/P provides Treasury with a copy of daily Detail Report in order to verify integrity and Completeness of the batch file uploaded to Integrity

    Monitoring/Detective/Manual

    Access to each page and function within People Soft is managed and setup by System

    Administration in order to limit user access as appropriate by need (KEY)

    Pervasive/Preventive/System

    Access to make changes (i.e. address, bank account, etc.) to a vendor is limited to the System Administrator (KEY)

     Any coding errors identified by the system are kicked out to a coding error queue where the image of the voucher is saved, and the voucher is put on “recycle”. A/P reviews this log daily to ensure timely resolution (KEY)


    Evaluating process design l.jpg
    Evaluating Process Design

    • Sequence of evaluation

      • Individual control design

        • Prevention/detection of material misstatement

      • Collective control design

        • Reasonable assurance “collective” controls reduce risks to an acceptable level

      • COSO elements

        • Process control environment, risk assessment & information/communication

      • Overall process design



    Individual control considerations l.jpg
    Individual Control Considerations

    • Existence

    • Design

    • Attributes

      • Value of individual control

      • Placement of control in the process

      • Process efficiency

      • Experience of individuals executing the control

      • Preventive/Detective

      • System/Manual


    Collective control considerations l.jpg
    Collective Control Considerations

    • Primary vs. secondary

    • Detective vs. preventive

    • System vs. manual

    • Overall risk mitigation impact

    • Monitoring controls

    • Past control variances

    • Reporting of control practices


    Coso element considerations l.jpg
    COSO Element Considerations

    • Control Environment

      • Roles & Responsibilities

      • Policies & Practices

    • Risk Assessment

      • Existence of process objectives

      • Availability of resources

    • Information & Communication

      • Information Technology

      • Reporting and communication


    Overall process design l.jpg
    Overall Process Design

    • Final Considerations

      • Efficiency of individual controls

      • Risk mitigation impact of collective controls

      • Existence of process COSO elements

    • Effective

      • No significant design gaps noted in any sequence of analysis that may result in material misstatement

    • Ineffective

      • Potential design gaps may result in a material misstatement


    Agenda33 l.jpg
    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15 Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25 Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35 Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45 Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50 Break

    1:50 - 2:25 Questions & Answers - Panel

    2:25 - 2:30 Concluding Remarks - Dave Richards


    Documentation testing l.jpg

    Documentation & Testing

    Bruce Caplain, CPADirector of Auditing

    John Hancock Financial Services, Inc.


    Documentation testing35 l.jpg
    Documentation & Testing

    • Precursors to testing

    • Communicating testing concepts

    • Performing the tests

    • Documentation your testing

    • Lessons learned


    Documentation testing36 l.jpg
    Documentation & Testing

    • Precursors to Testing:

      • Executive support

      • Knowledge of the Sarbanes process

      • Management owning the process

      • Well documented controls

      • Ramifications of non-compliance


    Documentation testing37 l.jpg
    Documentation & Testing

    • Communicating testing concepts

      • Teaching non-auditors to audit

        • Training, training, and more training

        • Tools, tools, and more tools

      • Evidence of control vs. testing controls


    Documentation testing38 l.jpg
    Documentation & Testing

    • Performing the tests:

      • What is the objective of your test?

      • Who should test?

      • Which controls should you test?

      • How detailed should your testing be?

      • How large is the sample size?

      • What period should it cover?


    Documentation testing39 l.jpg
    Documentation & Testing

    • Document your testing

      • Ideal vs. acceptable

      • System vs. manual

      • What needs to be evidenced

      • Testing documentation tool


    Documentation testing40 l.jpg
    Documentation & Testing

    • Lessons Learned

      • Standardization

      • Dry run attestation before due date

      • Training, training, training, training

      • Tools, tools, tools, tools

      • Follow up

      • Biggest key to success is executive support


    Agenda41 l.jpg
    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15 Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25 Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35 Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45 Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50 Break

    1:50 - 2:25 Questions & Answers - Panel

    2:25 - 2:30 Concluding Remarks - Dave Richards


    Remediation when testing is done l.jpg

    Remediation – When Testing is Done

    Greg Neely, CIA

    Senior Director Operations ReviewSysco Corporation


    Remediation when testing is done43 l.jpg
    Remediation – When Testing is Done

    • Overview of the work completed thus far

      • Mapped out and identified the processes

      • Determined the materiality of each process

      • Completed testing the processes and the internal controls

    • Deal with the gaps and shortfalls


    Dealing with the gaps and shortfalls l.jpg
    Dealing with the Gaps and Shortfalls

    • Controls Fail

      • What is the materiality of the Control


    Slide45 l.jpg

    Dealing with the Gaps and Shortfalls

    Controls should have been rated a level of importance

    The control owner indicates if the test passed or failed


    Dealing with the gaps and shortfalls46 l.jpg
    Dealing with the Gaps and Shortfalls

    • Controls Fail

      • What is the materiality of the control

      • Are there compensating controls in place (If no compensating control, put the control in place and retest)

      • How does this affect other Sarbanes-Oxley Certifications (302)


    Dealing with the gaps and shortfalls47 l.jpg
    Dealing with the Gaps and Shortfalls

    • Missed a Process

      • Determine if the process and related controls are material

      • If material, document the process and related controls

      • Perform testing


    Dealing with the gaps and shortfalls48 l.jpg
    Dealing with the Gaps and Shortfalls

    • Acquisitions

      • Determine if the acquisition is material

      • Develop a standard template of processes and controls and provide this template to the acquired entity

      • Over test if needed


    Dealing with the gaps and shortfalls49 l.jpg
    Dealing with the Gaps and Shortfalls

    • Over testing the work performed

      • Does the testing need to be verified

      • Who performs the over test

      • When over testing identifies errors

      • How do you document over testing


    Dealing with the gaps and shortfalls50 l.jpg
    Dealing with the Gaps and Shortfalls

    Document over testing procedures and conclusions reached

    Attach a copy of the worksheet over tested so it cannot be altered


    Dealing with the gaps and shortfalls51 l.jpg
    Dealing with the Gaps and Shortfalls

    • Certification

      • Continue to monitor the processes

      • Document monitoring procedures for external audit verification

      • Determine if additional testing is necessary prior to certification

      • If the process or the control environment changes you will need to re-test


    Agenda52 l.jpg
    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15 Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25 Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35 Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45 Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50 Break

    1:50 - 2:25 Questions & Answers - Panel

    2:25 - 2:30 Concluding Remarks - Dave Richards


    Agenda53 l.jpg
    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15 Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25 Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35 Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45 Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50 Break

    1:50 - 2:25 Questions & Answers - Panel

    2:25 - 2:30 Concluding Remarks - Dave Richards


    Agenda54 l.jpg
    Agenda

    1:00 - 1:05 Introduction & Overview-

    Dave Richards

    1:05 - 1:15 Process Universe & Documentation -

    Bob Biancalana

    1:15 - 1:25 Design Documentation & Evaluation -

    Lynn Fountain

    1:25 – 1:35 Documentation & Testing -

    Bruce Caplain

    1:35 - 1:45 Remediation – When Testing is Done -

    Greg Neely

    1:45 - 1:50 Break

    1:50 - 2:25 Questions & Answers - Panel

    2:25 - 2:30 Concluding Remarks - Dave Richards


    The institute of internal auditors 2004 program on sarbanes oxley l.jpg
    The Institute of Internal Auditors2004 Program on Sarbanes-Oxley

    • Jan 13 - Documenting & Testing Controls

    • Feb 10 - IT Control Identification & Testing

    • Mar 9 - Balancing SOA with Risk Based Audit Planning

    • April 13 - Strategies for Internal & External Relationships

    • May 11 - IA Role in Management’s Assertion

    • June 8 - Start of 2004 Webcast Program 2


    The institute of internal auditors 2004 program on sarbanes oxley56 l.jpg
    The Institute of Internal Auditors2004 Program on Sarbanes-Oxley

    • Pricing:

      • 10 sessions = $500

      • First 5 or second 5 = $300

      • Individual session = $75

      • CPE viewer credit = $15 [www.auditlearning.org]


    Conclusions l.jpg
    Conclusions

    • Documentation must be complete

    • Documentation must follow plan

    • Documentation must support conclusions

    • Documentation should cover all processes that support material accounts in Financial Statements

    • Corrective action documentation must enable testing prior to certification date


    Next webcast l.jpg
    Next Webcast

    February 10, 2004

    “IT Control Identification & Testing”

    See you at our next webcast!


    ad