1 / 67

The Payroll Professional’s Perspective on Sarbanes Oxley

The Payroll Professional’s Perspective on Sarbanes Oxley. November 17, 2005 Presented by: Linda Obertin, CPP Vice President Fidelity Human Resource Services. A genda. Brief Overview of the Sarbanes-Oxley Act (SOX) Act

Pat_Xavi
Download Presentation

The Payroll Professional’s Perspective on Sarbanes Oxley

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Payroll Professional’s Perspective on Sarbanes Oxley November 17, 2005 Presented by: Linda Obertin, CPP Vice President Fidelity Human Resource Services

  2. Agenda • Brief Overview of the Sarbanes-Oxley Act (SOX) Act • The Impact of the Sarbanes-Oxley Act on the Organization and the Payroll Department • Compliance Framework • Focus on Controls • Sustainable SOX Compliance Point of View • Case Study: HR/Payroll Controls Rationalization • Case Study: ERP Controls Automation • SOX and SAS 70

  3. Getting Back On the Road to Compliance • Committee of Sponsoring Organizations of the Treadway Commission (COSO) • Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting • Studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. • Good Practice Guidelines for assessing the risk of fraudulent financial reporting

  4. Catalyst for SOX.. (The Enron Story) • The objectives and roots of the Scheme to Defraud • Present Enron as a profitable business • Report annual earnings growth of 15 to 20 percent • Meet or exceed published expectations of industry analysts forecasting of earnings per share • Maintain investment grade credit rating • Increase the value of Enron stock SEC Seconded Amended Complaint v Lay,Skilling and Causey

  5. The Result • Enron Executives Made a fortune • Skilling: $103 Million • Causey: $23 Million • Lay: $90 Million SEC Seconded Amended Complaint v Lay,Skilling and Causey • Enron Employees Lose a Fortune • $3 Billion in retirement funds when stock fell • Total recovered: $150 Million ($17 Million for the attorneys) • Investors

  6. Sarbanes-Oxley Act (SOX) • The Public Company Accounting Reform and Investor Protection Act • An Act signed into law on July 30, 2002 • Overseen by the SEC-final SEC interpretive rules issued on June 6, 2003 • 11 Titles consisting of 65 sections covering corporate governance, auditor independence, financial disclosures, fraud, etc. • Established “to protect investors by improving the accuracy and reliability of corporate reporting” • Sarbanes-Oxley requires the use of a framework to identify, document and evaluate internal controls over financial reporting • Provides a logical methodology for analyzing a Company’s control system • Criminal Penalties

  7. Application of SOX • Public Company Accounting Oversight Board • Auditor Independence • Corporate Responsibility • Enhanced Disclosures • CEO and CFO personally certify and attest to the accuracy of the financial results (§302) • Management Assessment of Internal Control and Internal Control Evaluation (§404) • Real Time Disclosure of material changes affecting a company’s financial condition (§409) • Criminal Penalties for altering documents (§802) and Defrauding Shareholders (§807) • Enhanced Penalties for Non-Compliance • White Collar Crime Penalty Enhancement (Title IX) • Corporate Fraud and Accountability (Title XI)

  8. Penalty of Non-Compliance • Not having the procedures in place by the deadlines will result in de-listing of the company by the stock exchange or securities association through which its stock is traded. • Last week in a New York courtroom Ebbers was found guilty of orchestrating an $11 billion (£5.7 billion) fraud that led to the collapse of WorldCom, the biggest bankruptcy in American history. The verdict carries a maximum sentence of 85 years in jail. Legal experts reckon that when sentencing takes place in June, Ebbers will get 25 years. (Was sentenced to 25 years on 7/13/05) The 63-year-old will probably spend the rest of his life in jail. The case will also have a profound effect on American corporate life — on the way Wall Street conducts its business, the responsibilities of directors and the fate of those who breach those responsibilities. 3/20/05 Timesonline.co.uk

  9. Penalty of Non-Compliance • “Fraud's Many Helpers” The sheer number of subordinates who face criminal charges for these accounting frauds belies the myth that some of the biggest schemes of the past decade were carried out by a small group of devious executives. Rather, as the employees themselves recount under oath, dozens of people colluded to hide misdeeds from auditors and investors. At Enron Corp., nearly 30 face criminal charges. • At HealthSouth Corp., prosecutors have indicted 18 individuals who allegedly misstated their companies' finances using computer software systems, prepared phony documents and made improper entries on corporate accounting ledgers. Without their help, the frauds probably could not have taken place. Washingtonpost.com 3/20/05

  10. Who is impacted? • Directly affects • Registered public accounting firms • Publicly traded companies • Companies in the process of registering securities under the Securities Act of 1933 • Indirectly affects • Private companies that may go public in the future • Private companies that may be acquired by public companies • Private companies in states considering adopting parallel legislation • Private companies with industry regulators • Gov’t Agencies which report into OMB (Office of Mgmt and Budget) • Outsource Service Providers

  11. Still Time to Comply • Timeline • Less than $75 million in market capitalization extension through July 15, 2006. • More than $75 million in market capitalization are required to comply with the rule for the first fiscal year ending on or after Nov. 15, 2005. • Expense • Most companies spend $3M on SOX • Companies with less than $1M in Revenue will spend $550,000

  12. Corporate Response • Develop New Functional Role • Internal Audit Role • External Auditors • SOX Compliance Role • Expand Existing Responsibilities • Internal Audit Role • External Auditors

  13. Sarbanes Oxley Initial Compliance Approach Answerthink Model

  14. Hackett Research Findings* • Companies have greatly improved their financial reporting effectiveness, due to Sarbox • More than two thirds of all companies are now comfortable with financial forecasting and reporting outputs, up from 9% a year ago • Sarbox is placing a strain on improving the cost of finance, and the close cycle time • The cost of finance as a % of revenue has not dropped for the first time in a decade • Close cycle times have actually slightly increased, to just over a week for median and world-class companies • Companies are improving the transparency and the reliability of financial forecasts, but are doing so by using a very labor-intensive approach to Sarbox compliance which is consuming time and any savings from other initiatives *From The Hackett Group Book of Numbers, 2004

  15. SOX Compliance ObservationsCost of Compliance • In an FEI study in March 2005, 2004 SOX 404 compliance costs averaged $2.1M per billion in revenue1 • The majority of companies expect 2005 compliance costs to decrease from 2004, with most companies looking to achieve savings of at least 20%2 • According to a KPMG 404 Institute survey, roughly half the companies are looking to reduce the number of key controls as a driver of reduced compliance costs (2005 vs. 2004)2 Sources 1FEI March 2005 estimate for companies of $500-$999M in Annual Revenues 2KPMG 404 Institute SOX S404 Benchmark Study, April 2005

  16. SOX Compliance ObservationsBreakdown of SOX Compliance Costs for FY04 $1-$5 Billion in Revenue; $4.36 million in compliance costs Source: FEI Survey (March 21, 2005) N = 217

  17. SOX Compliance Observations How are companies planning to reduce compliance costs? n = 69 Initial Compliance Activities Out of Company’s Control Multiple Responses Allowed Source:KPMG 404 Institute SOX S404 Benchmark Study, April 2005

  18. SOX Compliance ObservationsDrivers of cost of control and compliance • Wide rages in the number of key processes and key controls is a primary driver of the differing levels of control costs amongst companies • Opportunities to leverage finance transaction processing consolidation remain • Top companies have leveraged their IT infrastructure and application management to reduce control complexity • Over 80% of companies report that at least half of their controls are manual controls • Controls are weighted more toward detective than preventive • Approximately 70% of deficiencies are either control design or operating effectiveness deficiencies, not documentation deficiencies Source:KPMG 404 Institute SOX S404 Benchmark Study, April 2005

  19. SOX Compliance ObservationsBusiness Impact • A decentralized and manual control environment drives up the cost of both on-going control and SOX 404 compliance • High deficiency rate attributed to the design and operation of key controls points to the need for process change • The high degree of manual controls may unnecessarily complicate the control environment • While compliance costs may be reduced as a function of the SOX 404 “learning curve”; a sustained reduction in the cost of control, and further reduction in cost of compliance, necessitates greater application of certain best practices: • Process standardization and simplification • Greater leverage through process centralization • Increased automation of the control environment

  20. Sustainable SOX Compliance – After Year 1Point of View Sustainable Compliance Initiative • Embed SOX Compliance in Organization • Define and Align organizational structure for long term SOX compliance • Operationalize project-based approach used in initial compliance effort • Automate compliance administration through use of leading SOX tools • Streamline Controls Framework • Review controls for composition and number vs. needed significant account and assertion coverage • Rationalize controls to company standard per process area/application platform • Automate controls within ERP, particularly daily and weekly transaction controls Embed SOX Compliance in Organization Streamline Controls Framework Utilize SOX as Transformation Imperative Process & Controls Effectiveness • Utilize SOX as Transformation Imperative • Evaluate SOX process documentation for “quick hit” (<6 months) improvement opportunities • Move to World-class processes to improve the business, and strengthen controls through benchmarks, best practice reviews for key areas, and business process improvement initiatives • Rationalize IT applications (e.g., single global ERP instance) to further automate controls, improve operations (e.g., faster financial close), and provide greater data integrity and decision support capabilities (e.g., data warehouse)

  21. Impact to Payroll/HR: Focus on Controls • Establish a Compliance Framework • Organizational objectives • Risk Assessment • Internal Controls • Internal and External Audit Procedures • Information & Communication • Monitoring • Control Activities • Review Organizational Components (divisions, departments job roles) • Identify the relationship of objectives to risks and financial transactions to internal controls

  22. Internal Controls • Internal Control is a process designed to provide reasonable assurance regarding the objectives in the following categories: • Effectiveness and Efficiency of operations • Compliance with applicable laws and regulations • Reliability of Financial Reporting • Internal Controls no longer just have to be in place, their effectiveness must be proven – IT’S THE LAW. • Controls are designed to detect or prevent an error or misstatement in the Financials • Activities carried out by internal and external auditors and by outside vendors are not controls

  23. Control Activities • Control Activities answer the following questions • Why is the control in place? • Who performs control? • What does the control do? • How does the control work? • Frequency of Control (i.e. daily, weekly, monthly etc.) • Where is control performed? • Proof of Control

  24. Control Identification • Control over numbers is the key • Identify risks • Identify control to mitigate risk • Does the control answer all questions? • Ask yourself, can you find away around the control? • If yes, gaps exist and should be identified • Action plan prepared for all gaps

  25. Payroll Transaction Level Controls • Typical transaction level control objectives for in-house and payroll services providers would be controls that provide a reasonable assurance that: • Payroll data is received from authorized sources • Payroll date is recorded completely and accurately (data validation) • Appropriate statutory and client specifications are used to calculate and process payroll deductions and tax withholding amounts • Payroll data is processed completely and accurately • Employee data maintained in master files is complete and accurate • Production of payroll checks is complete and accurate • Access to check stock and digital images (e.g. authorized signatures) is restricted to authorized personnel • Electronic disbursements (e.g. direct deposits) are complete, accurate and performed in a timely manner • Output reports are complete, accurate and distributed in accordance with client and contractual specifications

  26. Payroll IT Level Controls • Typical IT general control objectives for in-house or payroll services provider would be controls the provide a reasonable assurance that: • Changes to applications are authorized, tested, approved, properly implemented and documented • Changes to system software and hardware are authorized, tested approved, properly implemented and documented • Physical access to computer equipment, storage media, and program documentation is only granted to properly authorized individuals • Logical access to program and data are restricted to authorized individuals • Processing is scheduled and performed appropriately and deviations from scheduled processing are identified and resolved in a timely manner • Data transmission between the service organization and client organizations are complete, accurate and secure • Programs and data are routinely backed up and retained in a secure location.

  27. Documentation • Requires information about how transactions are initiated, recorded, processed and reported. (Control Structure) • Documented through narratives and workflow (flow charts) • Narrative contains more detail • Responsibility of control monitoring should be distributed appropriately • Disaster recovery plan should also be documented • Documentation for documentation’s sake will do little to prevent fraud • Behavior must be changed

  28. Narrative • Detail level should allow for the identification of controls related to each significant relevant assertion for significant accounts and disclosures in financial statements • Detail must be at a level sufficient for a third party to understand • Reference company policies – don’t restate • Cross reference items that overlap with other departments • Use “Titles” or “Departments” not names

  29. Narrative (Example) Checks and direct deposit stock are stored in the payroll workroom. Only employees with access to the Payroll area have access to the workroom. (C.A. 11) A payroll processor is responsible for check and direct deposit printing, sealing and mailing. Checks and direct deposit advices are printed, sealed, sorted and placed in locked bags for mailing in the Payroll workroom. The locked bags are sent to the mailroom for distribution. (C.A. 27) Out-of-town checks and direct deposit advices are sent overnight via UPS. Internally distributed advices are sorted and mailed to the designee on each floor through inter-office mail. The Payroll Manager does not have a password to the desktop used to print checks. In case of an emergency, the Payroll Manager would either call an employee to come back to the office to print a check or use the employee’s password. In the event the Payroll Manager is given the password of an employee, the employee is instructed to change their password immediately upon return to the office. An electronic file is sent to the bank listing the valid checks. (C.A. 19) All companies use a positive pay system with Bank of America. This system will not allow the bank to pay a check unless it is authorized by the company. Direct deposits are sent electronically to the bank. A schedule of each pay date during the year is sent to the bank. The bank will only accept direct deposit information on the scheduled dates. Control totals for checks and direct deposits are called into the bank and confirmed. (C.A. 35)

  30. Workflow • Information should be at “higher” level than detailed narrative • Chart all “key controls” • Financial processes and their associated controls • Interactions among the systems and financial processes • Financial reporting processes for generating control reports

  31. Develop Workflow Maps • Capture the events that initiate the process • Identify each activity that makes up the process and the sequence in which they occur • Identify where decision points occur • Identify the organization, role or person responsible for each activity • Identify work hand-off’s from one participant to another • Identify the computer systems involved to support the process • Capture deliverables moving from activity to activity within the process • Describe the end of the process and its resulting deliverables • Rate the complexity of the process (complex processes require more control than simple ones)

  32. Post Implementation • Controls must be monitored and tested • Documentation must be updated and maintained • Auditors may “walk through” activities documented • Will look for gaps, risks • Controls will be tested

  33. Controls Rationalization Case Study Company Profile and Approach Company Profile $9B consumer packaged goods company that manufactures and markets a line of processed food products. The Company's principal products include ketchup, condiments and sauces, frozen food, soups, beans and pasta meals, tuna and other seafood products, infant food and other processed food products. The Company operates in North America, Europe, Asia/Pacific and other operating entities. Approach • Focus was to look at standardizing processes and controls across global HR & Payroll operations • Sample group included: • 4 geographic regions (North America, United Kingdom, Northern Europe and Western Europe) • 12 locations across the 4 geographic regions • Hourly and salaried employees (broken out for time capture) • There are 8 basic sub-processes within HR and Payroll, with additional processes within • There were 21 variations of process flows across HR and Payroll

  34. Controls Rationalization Case StudyResults of Controls Rationalization Effort Scope of Evaluation • 92 HR & Payroll process flows and 149 key controls were evaluated across the 12 in-scope locations across the US and Europe Outcome • 8 standard processes were developed • Based on similar activities and controls within a process • Processes include: • New Hires • Manage Personnel • Master File Maintenance – System Access • Capture Payroll – Time for salaried employees • Capture Payroll – Time for hourly employees • Capture Payroll – Rewards • Process Payroll • Distribute Payroll • 12 standard controls were identified across the standard process flows, with 8 additional “region-specific” controls for Europe and the US, for a total of 20 total controls from the original 149 key controls.

  35. Controls Rationalization Case StudySample Client Deliverable: Key Controls Consolidation Library

  36. Controls Rationalization Case StudySample Client Deliverable: HR/Payroll “Best Practice” Controls Library

  37. Summary – Controls Rationalization Tips • Controls Rationalization is most useful for large organizations with 5+ centers for HR/Payroll, Finance & Accounting operations and IT • In order to provide for enough time for testing, plan to finish rationalization effort by the end of Q2 • As part of any controls rationalization effort, moving towards a standard “best practice” for each functional area must be part of the evaluation • Pick processes which are heavily weighted towards daily or weekly transactions for the largest return on time invested (HR/Payroll, AP, AR, Month End Close, and FA) • Involve your external auditor early: ask for assistance with key controls objectives, then review rationalized control list with them as early as possible • Controls rationalization is best performed with a cross-functional operational, finance, internal audit and IT

  38. Survey – ERP Assessment Not Performed in Many Companies • A company’s ERP has the single greatest impact on the company’s control structure and can account for anywhere between 20% to 50% of the company’s overall controls • A recent Hackett survey indicated 73% of companies had not conducted a controls assessment of their ERP environment Source: The Hackett Group Dec 2004 Web Survey

  39. ERP Platform – Automated Controls Configuration Controls Reporting Controls Security Controls Inherent Controls SOX Best Practice: Automate Controls within ERP Platform Manual & Procedural Controls Reporting Controls • Closing process key activity monitoring • Automated standard reporting in a logical referencing system • System supplied audits Inherent Controls • Integrated balanced posting • Monitoring of questionable postings for review & approval • System retained transaction, program change, and configuration changes Configuration Controls • Edit checks and tolerances • Required & system populated fields • Defaulted & predefined master data • User-defined warning/error messages • Automatic posting • Rule-based workflow Optimizing Automated Controls Benefits: • Greater confidence that controls are being uniformly applied • A faster, more efficient close process • Automating controls makes extraction and analysis of transaction data easier • Accountability for controls evaluation is cascaded down within organization • Ongoing monitoring becomes a less labor-intensive task Security Controls • User access permissions at the program, transaction, table and field levels • Granular authorization management for segregation of duties • Access violations detection and prevention • User profile and assignment management

  40. Automating Controls in ERP Case StudyCompany Overview • One of the world’s leading metals producer with $25B in revenues and 119,000 employees with operations in Asia, Australia, Europe, South America, and the United States. • Active in all major segments of the industry: • Technology • Mining • Refining • Smelting • Fabricating • Recycling • In-scope SOX Coverage • 575 Entities • 25 Business Units • 4 Regions • NA, SA, EUR, AUST/ASIA

  41. Automating Controls in ERP Case Study2004 SOX Issues • Cost/Time requirement • Internal Audit/Management & PwC • Global coordination • Sample sizes/Independence issue • Monitoring and remediation of deficiencies • Auditing ERP System • In versus outside of the system

  42. Automating Controls in ERP Case Study Assessing the ERP controls Assessment Planning & Scoping Current State Action Plan • Assessment Objectives : • Identify relevant unused automated controls • Replace manual controls • Strengthen and standardize controls • Lessen on-going cost of testing controls • Satisfy audit requirements • The Business Objective: Process Enablement Controls

  43. Automating Controls in ERP Case StudyPlanning & Scoping the Effort • Determine business processes / applications to be evaluated • Business Process: HR/Payroll Procure to Pay, Order to Cash, Account to Report • Applications: Purchasing, Payables, Assets, Receivables, General Ledger, Hire to Retire • Decide on Location and Geography • Choose Specific Configurations • Number of separate configurations • Number Chart of Accounts, GL Calendars, Currencies • Number of separate configuration levels • Oracle = Operating Unit / Lawson = Company • Review representative configurations versus all configurations • High Transaction Volume • High Dollar/Euro/Peso Volume • Variety of Transaction Types (Purchasing = Direct / MRO / Services) • Determine how many application environments exist • Number of physical database instances

  44. Automating Controls in ERP Case Study Understanding the variables Customizations Third Party Applications Business Processes Data Creation Controls Application Configuration ERP Application Internal Application Integration Archiving External Application Integration Security Procedures Technology Business Processes Standard Reports Custom Reports

  45. Automating Controls in ERP Case StudyERP Library – Sample Control Types

  46. Automating Controls in ERP Case StudyExample – Accounts Payable Library • Approvals • Hierarchies • Timeout values • $ Limits • Include/exclude rules (GL accounts, items, ship to) • Alerts • PO’s > $xxx,xxx • Number of PO’s by buyer • Receipts not required • Tolerances • Over receipt • Price • Receiving Rules • Blind receiving • Allowing substitute receipts • Unordered receipts • Sourcing Rules • Links items to suppliers

  47. Automating Controls in ERP Case Study Categorizing the Findings • Strengthening Controls • Is the configuration to enforce suppliers on hold checked? • Do purchase orders default to 4-way match? • Who is able to view customer bank account information? • How are changes to the depreciation life of an asset tracked? • Do you use AP Invoice batch controls? • Automating Controls • What approvals are required for entering manual journal entries? • Who can override the default 3-way match on a purchase order? • Do suppliers acknowledge purchase orders? • How do you track changes to interface records in error?

  48. Process Enablement Controls Automating Controls in ERP Case StudyOutcome of Assessment End Result: Strong controls environment and process enablement goals were brought back into balance by automating an additional 20% of the company’s controls. • In 4 weeks, the company, with assistance from The Hackett Group evaluated over 500 system controls within the PO, AP, AR, FA, and GL modules, for the Procure to Pay, Order to Cash, Account to Report business processes for the North American business • The assessment provided management with a recommended set of 90 automated controls to implement in place of the manual controls in existence within the organization, leading to the following benefits: • Greater assurance that the controls are working as designed • Reduced annual SOX testing requirements, and as a result, reduce cost • Increased ability to standardize and strengthen controls across geographies

  49. Summary – Automating Controls Tips • Most companies utilize less than 50% of their ERP functionality, including controls automation • Reducing the reliance on manual processes and paper-based transactional controls is one of the best methods for reducing the overall compliance burden • Before starting any controls automation engagement, conduct a thorough controls rationalization effort of all manual and application controls • Data standards are key • Standardize and simplify chart of accounts • Master files (Customer, Supplier, Employee, Item) • Reason codes, etc • Interfaces are a common source of process breakdown / errors • Segregation of duties is a major area to review for controls issues/problems – and where a best of breed provider may be able to provide additional assistance in maintaining controls compliance

  50. SAS 70 and Service Organizations • Auditors performing audits on a financial statement of a company using a service organization may need to obtain information: • about the services provided by the service organization, • the related service organization controls and • their effects on the user company’s financial statements (Introduction §1.01 AICPA Audit Guide: Service Organizations: Applying SAS 70) • Statement on Auditing Standards (SAS) No. 70 provides • procedures for a service organization to issue a report on the service organization’s controls and • guidance on the use of the report by the the auditor of the financial statements of a company using the service organization • The Primary Purpose of the SAS 70 is provide information about a service organization’s controls to auditors who audit a user company’s financial statement (Introduction §1.03 AICPA Audit Guide: Service Organizations: Applying SAS 70)

More Related