Balancing sox with risk based audit planning
1 / 31

Balancing SOX with Risk Based Audit Planning - PowerPoint PPT Presentation

  • Updated On :

Balancing SOX with Risk Based Audit Planning. The Institute of Internal Auditors March 9, 2004. Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation. Balancing SOX with Risk Based Audit Planning. Introduction & Overview Dave Richards, FirstEnergy

Related searches for Balancing SOX with Risk Based Audit Planning

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Balancing SOX with Risk Based Audit Planning' - Jims

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Balancing sox with risk based audit planning l.jpg

Balancing SOX with Risk Based Audit Planning

The Institute of Internal AuditorsMarch 9, 2004

Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation

Slide2 l.jpg


SOX with Risk Based Audit Planning

  • Introduction & Overview

  • Dave Richards, FirstEnergy

  • Finding the Balance

  • Brian Appleton, National Penn Bancshares

  • Year 2 Audit Planning

  • Carl Balderson, Pinnacle West Capital

  • Balancing Issues for Large Shops

  • Peg Weir, United States Postal Service

  • Break

  • Q & A

Key balancing issues l.jpg
Key Balancing Issues

1. Involvement in SOX 404 Work

2. Expectations of AC & Sr. Mgt

3. Risk Model Impacts

4. Emphasis on Financial Audits

5. Increased IT General Controls Topics

6. Using 404 Results to Drive Audits

7. Dealing with SOX Issues

8. Impact on External Auditor Relationship & Work Support

Key balancing issues4 l.jpg
Key Balancing Issues

9. Using 404 Model for Operational & Compliance Topics

10. Staff Productivity Enhancements

11. IAD Tools for Control Assessments

12. Rotation of Audit Topics???

13. Building on SOX 404 Work

14. IAD Customer Relationships

15. Impact on Audit Contingency

16. Internal Control Opinions in Audits

Finding the balance l.jpg

Finding the Balance

Brian T. Appleton, CIA, MBA,CDP

Executive Vice President

Director of Internal Audit

National Penn Bancshares

Overview of company l.jpg
Overview of Company

  • Company Size

  • Audit Division

  • Client Focused Philosophy

  • Process Owner Class

Status of 404 l.jpg
Status of 404

  • Tone at the top

  • How 404 is implemented makes a difference

  • High level risk-assessment completed

  • Documentation phase in progress

Balance l.jpg

  • Identify the coordinating scheme

  • Complement, not supplement

  • Be flexible and creative

  • Focus your scope

  • Standardize the documentation

  • Take a closer look at opportunities

    • Management

    • Audit

Impact on internal clients l.jpg
Impact on Internal Clients

  • Creates a more sophisticated clientele

  • Fosters uniformity in structure

  • Increases accountability for results

  • Promotes process ownership by management

Impact on audit approach l.jpg
Impact on Audit Approach

  • Enhance auditor knowledge

  • Career growth opportunity

  • Role of auditors as facilitators

  • Expansion of skill set to educator

  • Springboard effect

    • Operational and compliance audits

    • Control Self Assessment

    • Enterprise Risk Management

Benefit to audit committee l.jpg
Benefit to Audit Committee

  • Stronger assurance of controls

  • Create new metrics

  • Published accountability through sign-offs

Summary l.jpg

  • Identify the changes, find a balance

  • Allocate resources early

  • Sell the benefit to the company

  • Find and publish the positives

  • Think of SOX 404 as complementing audit coverage

Year 2 audit planning l.jpg

Year 2 Audit Planning

Carl Balderson, CIA, CPA, CFEDirector of Audit Services

Pinnacle West Capital Corporation

Driving change l.jpg

Re-balancing is continued evolution

Changed audit committee expectations

Changed management expectations

Driving Change

Impacts of sox l.jpg

Increase management awareness of internal controls

Audit customer responsiveness

Greater emphasis on IT auditing

Verify quarterly review for IC changes

Impacts of SOX

Planning steps l.jpg

Risk based planning with pre-SOX methodology

What we Think is needed for SOX

Follow-up open issues

Test changed process documentation

Test Key controls

Integrate to avoid duplication

Alternate depth of efforts with future years

Allocate available resources

Planning Steps

Productivity initiatives l.jpg

Automated Work Papers

Productive Time Targets

Emphasize Project Budgets

In-house and Local Training

Productivity Initiatives

Contingency planning l.jpg

Small number of hours unallocated

Renewed emphasis on “Stop & Go” auditing

Administrative assistant/secretary vs. para-professional auditor

Be more selective in what we address

Contingency Planning

Driving long term value l.jpg

Integrate SOX compliance and risk management processes

Examine risk management processes for efficiency

Documentation of new systems

Integrate SOX documentation with business resumption plans

Utilize documentation for training

Driving Long-Term Value

Balancing issues for large shops l.jpg

Balancing Issues for Large Shops

Margaret (Peg) Weir

Manager, Internal Control Group

United States Postal Service

Slide21 l.jpg

Independent government entity


Annual operating revenue +/- $70B

Second largest civilian employer

38,000 Post Offices

Office of Inspector General

United States Postal Service

Internal control group l.jpg
Internal Control Group

  • CFO vision

  • Established ICG organization

    • Complements OIG function

    • “End-to-end” process

    • Looks for efficiencies and risks of inefficiencies

Internal audit internal control policy vs process l.jpg
Internal Audit-Internal Control“Policy vs. Process”

  • Internal Audit - Financial Statements fairly represent operations

    • Monies

    • Expenses

    • Work hours

    • Assets

  • Internal Control - Reasonable Assurance – achievement of fundamental business goals

    • Reliability

    • Exist, effective, efficient

    • Compliance with laws/regulations

  • Internal control group24 l.jpg
    Internal Control Group

    • Identify risk through data and process analysis

    • Partner with process owner to mitigate prioritized risk

    • Analyze trends and indicators

    • Conduct internal control reviews

    • Develop improved controls to meet goals and objectives

    Sarbanes oxley act l.jpg
    Sarbanes-Oxley Act

    • Voluntarily adopting parts of Section 404

    • Makes good business sense

    Internal control group26 l.jpg
    Internal Control Group

    • Senior management provides direction and oversight

    • Focus based on:

      • Guidance

      • Risk analysis

      • Risk prioritization

    • Resources support mandate

    Internal control group27 l.jpg
    Internal Control Group

    • Enterprise-wide from corporate to local

    • Interdependencies vs. stovepipes

    • Partnership with process owners

    • Data driven

    • Targeted reviews

    • Standardized approach using COSO framework

      • Root causes

      • Meaningful recommendations to improve controls

    • Reasonable assurance goals & objectives will be met

    Internal control group status l.jpg
    Internal Control Group Status

    • Implemented preliminary activities of COSO framework

    • Adjusted as lessons learned

    • Developing additional training

    • Enhancing the analytical & reporting tool

    Internal control group29 l.jpg
    Internal Control Group

    • Internal Control Group complements internal audit process

    • Internal Control Group supports performance-based culture

    • Internal Control Group establishes foundation for long-term enterprise-wide improvements and efficiencies

    • Internal Control Group is dynamic & evolving

    Conclusions l.jpg

    • SOX 404 WILL IMPACT what we do

    • What impact it has must be managed

    • Upfront drivers for impact must be understood

    • Changes in approach, scope, & results expectations must be communicated

    • AC, Sr. Mgt. & IAD Customers must recognize the impact on identifying & performing work

    • IAD must be more productive to meet this challenge

    • External Auditor relationship must be managed

    Next webcast l.jpg
    Next Webcast

    April 13, 2004

    “Strategies for Internal & External Relationships”

    See you at our next webcast!