1 / 29

SOX Compliance - 2013

SOX Section 302 Certification Ernst & Young Fees & Hiring EY staff. SOX Compliance - 2013. SOX. SOX. What is SOX?. The Sarbanes–Oxley Act is a federal law that requires public companies to set up an internal system of control to insure that: Reduce the potential of fraud

adena-hampton
Download Presentation

SOX Compliance - 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SOX • Section 302 Certification • Ernst & Young Fees & Hiring EY staff SOX Compliance - 2013

  2. SOX SOX

  3. What is SOX? • The Sarbanes–Oxley Act is a federal law that requires public companies to set up an internal system of control to insure that: • Reduce the potential of fraud • Financial Statements are accurate • Top management has certified the above • Protect the investors through actions above • Restore faith in public markets

  4. What is key control? A key control is a control that provides reasonable assurance that material errors will be prevented or detected in a timely manner

  5. SOX – key controls VeriFone has identified 11 key process cycles: • Entity Level Controls • Order to Cash • Procure to Pay • Inventory • Fixed Assets • Payroll / HR • Financial Statement Close Process (FSCP) • Information Technology • Tax • Treasury • Equity

  6. SOX – ENTITY LEVEL CONTROLS Entity level controls are internal controls that help ensure management directives pertaining to the entire entity are carried out. These are VeriFone’s code of conduct policy, governance (board and committees of the board oversight), authority and responsibility (authority matrix and 302 certifications), hiring practices (background checks), fraud prevention and detection controls (ethics hotline)

  7. SOX – ENTITY LEVEL CONTROLS Reminders: • We have ZERO tolerance on unethical behavior and fraud. We have an ethics hotline you can call +1-888-719-1218. • Accounting records should be properly supported. • You are responsible to read and understand all our policies.

  8. Controls – entity level controls • Policies and Procedures • Code of Ethics • Whistleblower Process • Authorization Matrix • Background checks • Operating plan • Internal Audit function • Budget to Actual • Audit comments are addressed • Knowledge of code and reporting process • Performance of background checks • Following the operating plan • Responding to auditors • Not following policy • Not signing code of ethic acknowledgment • Legal/practical difficulties with background checks • No timely response to auditors

  9. Controls – order to cash • Bad Debt Reserve is reviewed and approved • AR adjustments are reviewed and approved • Revenue is recognized as per policy • Invoice data interfaces are monitored • Quarterly revenue cutoff is performed • Specific and General reserve • AR adjustment matrix • Revenue Recognition policy • Logs/exceptions • Any non ex-works shipping terms must be reviewed • Documentation inadequate • Not running or retaining exception reports • Not performing cutoff entirely

  10. Controls – procure to pay • Accruals are recorded • 3 – way match • Manual accruals are reviewed and approved • Invoices are supported and approved • GL coding is accurate • All significant contingencies must be disclosed • All unprocessed invoices at period end must be reviewed • Non-inventory invoices have to be approved prior to entry • Invoice audits are not performed • Coding to wrong GL account • Not all accruals are recorded • Not all contingencies are disclosed

  11. Controls – inventory • Cycle/Physical counts results are reviewed and approved • Doc Walk is performed • CM liability is approved by each controller • Warranty reserves are reviewed and approved • Cycle count policy • Last 5 / First 5 • All liabilities with CM must be included • Warranty reserve calculation • Adjustments not documented or approved • Doc walk is not done or evidence is lacking

  12. Controls – fixed assets • Additions, disposals and depreciation are recorded based on policy • All additions should be supported • All disposals must use a disposal form • Depreciation should be calculated by system and verified • Disposals not approved • Incorrect in service dates of assets • Depreciation calculated wrong

  13. Controls – financial close process • Flux analysis of actual results is performed via conference call • 302 Certifications are completed • Significant variances must be investigatedand explained • CEO and CFO are required to sign before filing • Insufficient explanations • Inadequate disclosures

  14. Controls – financial close process Shared Controls • All BS accounts are reconciled timely • All Manual JE are reviewed and approved • Timely = before date noted on closing calendar • Reconciled = entire balance explained • Reviewed = determined the item is correct • Approved = signature or email • AR • AP • Deferred Revenue • Inventory • Fixed Assets • Items are not accurate • Late/No approval • Items in reconciliation not included with reconciliation • Approval inadequate

  15. Controls – payroll • Commissions are approved by Regional Controller • New employees are approved, Payroll reports monitored for unusual activity • Review and documentation of approval for commission calculation • Approval of any new employee prior to adding to payroll • Must compare current payroll expense to prior • Improperly documented payroll reconciliation • No approval for new hire

  16. Controls – ITGC (Information Technology general controls) • ERP – Oracle System Controls • User access approval • Segregation of Duties • Although these are system related in many instances there are manual parts of the control • Relying on system while not performing manual portion of control • Relying on system, when underlying is not system controlled or does not include all instances

  17. SOD (segregation of duties) conflicts • SOD conflicts exist because of incompatible duties that a single person or group of persons may have, which elevates the risk associated with potential fraudulent activity • SOD reviews are performed in each location to identify SOD conflicts and mitigate through approved testing • Each location will identify conflicting activity and perform tests to mitigate the risk associated with the underlying SOD conflict • SOD conflicts are based on 9 policies

  18. SOD Conflicts

  19. Controls – TAX • Tax JE are approved VP of Tax • Tax positions or events in each jurisdiction are reported • Unusual events triggering tax planning should be reported • Not reporting events or disregarding tax strategies • Local tax audits potential adjustments disclosed too late

  20. Controls – TREASURY • Borrowing policy • Investments are periodically evaluated • Loan covenants are monitored • Hedging strategy is reviewed and approved prior to execution • All financing is subject to borrowing policy • Investments must be monitored • Everyone is responsible for covenant compliance • Hedging should be approved • Not aware of policy restrictions • Misclassification of investments • Not being aware of covenants

  21. Controls – equity • Equity awards are approved • Grants are reconciled to 3rd party data • Cancelations, vesting, etc are monitored • Proper expense is recorded • All new plans must be approved • All grants must be recorded and approved • Communicating grants without authorization • Not terminating grants timely in system

  22. SOX – KEY CONTROLS TESTING Key controls testing is determined by the frequency of the control. Our current planned testing timetable is as follows: For legacy entities: • Phase 1 in May to July for transactions from November to May; • Phase 2 in September to October for transaction from June to August; • Phase 3 in November for transactions from September to October; For Point entities: • Phase 1 in August to September for July transactions; • Phase 2 in September to October for transactions from August to September; • Phase 3 in November for transactions in October. Controls are not a deficiency at year end if it has been working before October 31, 2013 for the following frequency: • Annual – Once; • Quarterly – Last 2 quarters; • Monthly – Last 2 months; • Weekly – Last 5 weeks; and • Transactional – Last 25 transactions

  23. SOX – SOX Deficiencies ASSESSMENT • If a key control has not been working for the minimum period immediately prior to year end then it is considered a deficiency. • Deficiency assessment starts with realization of whether there is a possibility that the deficiency might result in a error. • If there is a reasonable possibility then we need to identify the magnitude of the potential error. • The quantitative and qualitative factors are considered to determine if it is a material, significant or control deficiency. • SOX require that we look at the potential error that could result from the key control not working. If there was a an error of $2K in a reconciliation of $200 million, SOX require us to start the assessment at $200 million. We have to ask the local finance team what factors or other key controls will help us reduce the risk of not having an error of the entire $200 million.

  24. SECTION 302 sub-certification Section 302 Sub-Certification

  25. SECTION 302 Sub-certification • On Section 302(a) of the Sarbanes–Oxley Act VeriFone’s CEO and CFO are required to make certain certifications regarding the presentation of the financial statements • After the close of each quarter designated members of VeriFone management are sent representation letters for review, signature and explanation. Any exceptions in the representations are noted in a memo that is addressed to VeriFone’s CEO and CFO • The Sub-certification process provides assurances to the CEO and CFO so they can make the appropriate certifications

  26. ERNST & YOUNG FEES & Hiring EY staff Ernst & Young Fees and Hiring EY Staff

  27. ERNST & YOUNG FEES & Hiring EY staff • Our auditor Ernst & Young (“E&Y”) have to be independent from VeriFone • VeriFone cannot engage E&Y or anyone related to E&Y to perform any work without the approval of VeriFone’s audit committee. Please submit any request through the Corporate Controller. There are NO EXCEPTIONS • This includes hiring any E&Y staff or their family members

  28. Q&A

More Related