Agenda • Getting Started • Scoping • The COSO Environment • Anti-Fraud Controls • Internal Control Questionnaires • Documentation • Testing • Evaluation of Internal Control Deficiencies and Reporting
Geller & Company and You • The Public Company Accounting Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act) has brought about the most extensive reform that the US financial markets have seen since the enactment of the Securities Act of 1933 and the Securities Exchange Act of 1934. • The impact of the Act has been felt throughout the financial markets; every industry and service sector has been, and will continue to be, impacted. Section 404 of the Act, Management Assessment of Internal Controls, which may be the most challenging aspect of the Act, requires most publicly registered companies and their external auditors to report on the effectiveness of the company’s internal control over financial reporting. • Geller & Company has implemented a four phase approach in assisting companies complying with Section 404 of the Sarbanes-Oxley Act. The primary benefits of outsourcing a project such as this to Geller & Company include: • Strategic focus – Your personnel will have more time to focus on its regular ongoing and operational responsibilities. • Access to talent – Your company will have access to resources (e.g., personnel experienced in documenting policies and procedures and controls) that it would not want/need to carry out on a full time basis. • Objectivity – Our involvement will provide an additional degree of comfort to audit committee members, the board, auditors and management. • Partnership with an organization with a long track record – We employ more than 250 people at our firm, and we have a 21-year track record of success. • Additional resources – Our depth will allow us to tap into other resources and contacts throughout our firm, should issues arise. • Relationship with auditors – We have a very close working relationship with all of the National and Regional CPA firms. These firms have a high degree of confidence in our work product. • Relevant experience – Our professionals have the relevant experience necessary to conduct this assignment. • Flexibility – We have the ability to scale up or down quickly as your company’s needs dictate. • Best practices – We will bring you the benefit of our experience serving as the accounting and finance department for a wide variety of companies in terms of identifying best practices and improvement opportunities.
The Four Phase Description • Project initiation • Establish scope and timing - client's participation and role toward compliance. • Develop training material for client and staff to participate in SOX compliance. • Develop environmental questionnaires for management and audit committee. • Establish scope of consolidating entities. • Review existing policies and procedures. • Meet with external auditor. • Phase I - Scoping The scoping process is used to identify the significant accounts, disclosures, business processes/cycles and locations that must be documented and tested. • Identify significant accounts and disclosures by considering: • Items separately disclosed in the consolidated financial statements • Qualitative and quantitative factors • Materiality at the consolidated financial statement level • Identify business processes/cycles and sub-processes/cycles and map to significant accounts and disclosures. • Identify the relevant financial statement assertions for each significant account and disclosure. • Perform a risk assessment of the business sub-processes/sub-cycles. • Obtain a complete listing of locations or business units. • Map locations to the business processes/cycles and sub-processes/sub-cycles previously identified.
The Four Phase Description (continued) • Phase II - Documentation The documentation produced in the Section 404 project forms the basis and support for management’s evaluation of internal control over financial reporting. Further, the SEC’s final rules on Section 404 indicate that it is a company’s responsibility to document internal control and that developing and maintaining such documentation is inherent to effective internal control. • Determine scope of documentation – determine which accounts and disclosures will be evaluated and which locations should be included in the scope of the company’s internal control documentation. • Meet with external auditor for guidance on approach. • Develop process documentation – document the flow of transactions for significant accounts and disclosures to determine where material misstatements due to error or fraud could occur. Identify the control activities within these processes. This includes narratives and flowcharts. • Develop control documentation – document controls within each of the five components of internal control and specifically address company-level controls, anti-fraud programs and evaluation of the audit committee’s effectiveness. • Assess the design of controls – evaluate whether the company’s controls are adequately designed to mitigate the risk of material misstatement. • Phase III - Testing To demonstrate effective internal control over financial reporting, management should determine whether the company’s controls are operating effectively. This requires testing the controls. The company must retain evidence of this testing to support management’s assessment of internal control over financial reporting. • Develop the test plans. • Obtain client and auditor approval of testing approach. • Execute the test plans (what, how and when to test) based on narratives, matrices and flowcharts of key processes. • Evaluate the test results.
The Four Phase Description (continued) • Phase IV - Summarize testing results and develop solutions for internal control gaps Evaluating the significance of internal control deficiencies and reporting is an evolving area that will require a significant degree of management judgment. Control deficiencies can range from internal control deficiencies to significant deficiencies to material weaknesses in internal control. • Step 1: Identify the deficiencies • Step 2: Understand and assess the deficiency • Step 3: Assess the likelihood of misstatement • Step 4: Assess potential magnitude of misstatement • Step 5: Identify compensating controls • Step 6: Determine classification of deficiencies • Step 7: Assess deficiencies in aggregation with others • Final report on the assessment of internal controls
Getting Started • The scope of the Section 404 assessment will extend well beyond a company’s finance and accounting departments. Areas assessed will also include: • Information technology • Tax • Legal • Human resources • Internal audit functions • Management will have to coordinate with third parties, including their external auditor and providers of outsourced services (i.e., ADP Payroll, General Ledger Accounting Packages). • Although the task for compliance with the Sarbanes-Oxley Act will be a large endeavor during the first year, you will have to comply annually.
Getting Started – Project Oversight • The project will impact many of the company’s major departments and functions. Because of this, communication of the importance of compliance should come from the Chief Executive Officer. Otherwise, employees might perceive the compliance effort as concerning primarily the finance and accounting functions. • Completion of the project will require a significant amount of time and company resources. • Projects are most successful when they are overseen, on a day-to-day basis, by a Controller or Internal Auditor (or someone with an equivalent senior title) and are supported by the audit committee and senior management (principally the chief executive officer and chief financial officer). • Geller & Company will work directly with members of your company, including your designated company project leader, as well as the Audit Committee, Board of Directors, CEO, CFO, Department Managers and your External Auditor. This ensures compliance efforts will be successful and enable your external auditor to issue an attestation report on your assessment of internal controls over financial reporting.
5 4 3 2 1 Scoping • Geller & Company will assist in identifying your significant accounts, disclosures, business processes/cycles and locations that are subject to assessment. Financial Statement Assertions will be mapped to the corresponding cycles. • Scoping considerations are addressed as they relate to the five components of the COSO framework: • Also, the period-end reporting process, accounting judgments and estimates, notes to the financial statements, general computer controls and company-level controls will be assessed.
Scoping – Financial Statement Assertions • Geller & Company will assist in linking the Financial Statement Items on the Balance Sheet and Income Statement to the Corresponding Cycles and Assertions.
Scoping – The COSO Framework Monitoring Control Activities • Assessment of a control system’s performance over time • Combination of ongoing and separate evaluation • Management and supervisory activities • Internal audit activities • Policies/procedures that ensure management directives are carried out • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties Information & Communication • Pertinent information identified, captured and communicated in a timely manner • Access to internally and externally generated information • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action Risk Assessment • Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activities Control Environment • Sets tone of organization, influencing control consciousness of its people • Factors include integrity, ethical values, competence, authority, responsibility, organization structure, HR policies and IT control environment • Foundation for all other components of control
Anti-Fraud Provisions • The SEC’s rules relating to management’s reports on internal control include commentary on the background of the rules and insight on how the rules should be interpreted and implemented, including: • The assessment of a company’s internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include, but are not limited to: …controls related to the prevention and detection of fraud. • In addition to the SEC guidance, the PCAOB, in its Auditing Standards #2, has stated the following: • That management's responsibility when designing a company's internal control over financial reporting is to design and implement programs and controls to prevent, deter and detect fraud. • Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter and detect fraud.
Internal Control Questionnaires • Geller & Company has developed three environmental questionnaires that will assist in assessing the company’s Control Environment. • Company wide controls • Audit committee effectiveness • IT control objectives • The questionnaires follow the COSO framework for company entity-wide controls and audit committee effectiveness, as well as Control Objectives for Information and related Technology (CobIT), for IT related controls.
Documentation • Geller & Company will assist your company in documenting your controls and processes. • After determining which accounts and disclosures will be evaluated and which locations should be included in the scope of the company’s internal control documentation, our approach includes the following steps: • Develop process documentation – Document the flow of transactions for significant accounts and disclosures. Identify the control activities within these processes. • Develop control documentation – Document controls within each of the five components of internal control and specifically address company-level controls, anti-fraud programs and evaluation of the audit committee’s effectiveness. • Assess the design of controls – Evaluate whether the company’s controls are adequately designed to mitigate the risk of material misstatement. • The SEC’s final rules on Section 404 indicate that it is a company’s responsibility to document internal control and that developing and maintaining such documentation is inherent to effective internal control.
Sample Documentation Narrative 5 Pages Total
Testing • To demonstrate effective internal control over financial reporting, management needs to determine whether the company’s controls are operating effectively. This requires testing the controls. • The testing of controls generally relates to significant processes and major classes of transactions for relevant financial statement assertions related to significant accounts and disclosures. Therefore, the underlying assumption is that all exceptions/deficiencies resulting from the testing must be evaluated because they relate to accounts and disclosures that are material to the financial statements taken as a whole. • The purpose of testing controls is to achieve a high level of assurance that the controls are operating effectively. The company must retain evidence of this testing to support management’s assessment of internal control over financial reporting. • Geller & Company’s approach to the testing phase can be divided into three key steps: • Develop the test plans (including what, how and when to test) and identifying who will perform the testing • Execute the test plans • Evaluate the test results
Evaluating Results – Addressing Deficiencies • Once you identify your control environment, document the processes and controls and test the controls, it is likely that there will be gaps or deficiencies to remediate. • Geller & Company will assist in the identification, assessment and classification of internal control deficiencies.* Our approach follows five phases. *Based on the “Framework for Evaluating Control Deficiencies, Version 3 (issued 12/20/04)”
Our Contact Information Office Location:800 Third Avenue 19th Floor New York, New York 10022 (212) 583-6000 Gary Berrigan – A senior member of Geller & Company’s Emerging Business Group. Gary will be the project leader for this engagement. As project manager of Sarbanes Oxley, Gary manages new engagements for Geller & Company ensuring that their clients are in compliance with the Sarbanes-Oxley Act. Some of his experience includes serving as Global Coordinator and Manager of Internal Controls for a subsidiary of a billion dollar Fortune 500 Company ensuring compliance with the Sarbanes-Oxley Act, Director of Fraud Investigations for a global Life Insurance Company and 10 years as a Financial Analyst with the Federal Bureau of Investigation. He is skilled in evaluating the internal control environment of companies for compliance with the Sarbanes-Oxley Act both within the United States and Internationally as well as performing Sarbanes Oxley readiness training and implementation. Gary will be responsible for the day-to-day execution of all phases for the Company. Michael Bernstein – Leads the Emerging Business Group for Geller & Company and will serve as an overall relationship manager. Mike has more than 22 years of experience working with public and private companies. Prior to joining Geller & Company, Mike was a partner with Grant Thornton LLP where he served in senior positions, including SEC partner for the New York Area offices. He is also a board member and audit committee chair for Bradley Pharmaceuticals, a NYSE publicly traded company. Mike will work with the client service team to develop the plan, review the results and present our deliverables. He has served on panels at numerous venture and industry conferences, has been quoted in Business Finance Magazine (on the Sarbanes-Oxley Act), Forbes.com (on Corporate Governance matters), the Venture Capital Journal and Business Week and co-authored the book Raising Capital, published by Business Irwin Professional Publishing. In his role as Audit Committee Chairman Mike has ongoing responsibility for Bradley Pharmaceuticals’ compliance with the Sarbanes-Oxley Act.