360 likes | 655 Views
Presentation to San Jose State University December 7, 2006. Presenters . Jerry Meyers, TR Senior Manager Jerry.meyers@protiviti.com Jagdish Pandey, TR Assoc. Director Jagdish.pandey@protiviti.com Dina Talerico, IA Senior Manager Dina.talerico@protiviti.com. Objectives .
E N D
Presenters Jerry Meyers, TR Senior Manager Jerry.meyers@protiviti.com Jagdish Pandey, TR Assoc. Director Jagdish.pandey@protiviti.com Dina Talerico, IA Senior Manager Dina.talerico@protiviti.com
Objectives • Who is Protiviti? • What We Do – Risk Consulting Defined • Our Vision, Mission and Core Values • Our Accomplishments • Our Locations, Our Clients • Behind the Enron Scandal • The Protiviti Story • The Financial Statement Risk Assessment Process • Sarbanes-Oxley Overview • Our Approach/Methodology • FS Prioritization Process • Questions and Wrap-Up
Who is Protiviti? Protiviti is a leading provider of independent risk consulting and internal audit services.
What We Do - Risk Consulting Defined The discipline of: • Identifying, sourcing and measuring risk • Formulating risk management strategies • Designing and implementing capabilities for avoiding, retaining, reducing, transferring and exploiting risk • Monitoring risk within acceptable tolerance levels
In Other Words… We help clients understand their risks and how they can turn them into a competitive advantage.
Protiviti’s Vision and Mission • Vision To be recognized as the Premier Global Risk Consulting and Internal Audit Service Company. • Mission To constantly improve how businesses manage risk. We will develop deep competencies in people which enhance their value. We will bring unparalleled expertise to clients in risk management.
Protiviti Embodies Our Core Values Protiviti core values: We are: professionalism productiviti proactiviti objectiviti creativiti integriti • Experienced Professionals with Proven Processes, Methodologies and Tools • Focused on Risk Consulting • A Driven Organization • Independent • Financially Strong • A Strategic Advantage to Meet Your Resource Needs • “Passionate About our Clients” quality
Why Protiviti? Protiviti fills a unique and valuable position in the market, as depicted below. Protiviti brings a unique blend of knowledge and experience to the table which combines the focus, dedication and independence of a boutique firm, with the methodologies & tools, global presence, and deep skill sets of the Big 4. • Big Four: • Methodologies & tools • Experienced professionals • Depth of risk consulting services • Financial & management stability • Recognized • Global presence • Boutique: • Responsive client service • Lack of SEC restrictions • Independent from attest & tax services • Better teaming with external auditors • Focus on core offerings • Fee flexibility Protiviti combines the strengths of the large consulting companies and independent alternatives…without compromise
Accomplishments • Growth in the number of Protiviti employees and locations • Recent quarterly earnings • Implementation of a company Intranet, iShare, with cutting-edge knowledge management solution • Recognized as a thought leader through our SOA and Internal Audit FAQs • National alliances and partnerships • Continued training development initiatives
Protiviti Locations Protiviti employs over 2200 professionals in more than 50 locations in North America, Latin America, Europe, Asia and Australia.
Protiviti Clients Our client experience includes organizations across all major industries from global Fortune 500 corporations to small, privately-held, local institutions.* *All logos used with client permission
Our Practice Our product offerings offer a breadth of internal audit and business and technology risk solutions. Technology Risk Internal Audit Business Risk • Audit Committee Advisory • IA Technology/Tool Implementation • Internal Audit Co-Sourcing • Internal Audit Full Outsourcing • Internal Audit QA Review • Internal Audit Transformation • IT Audit Services – Start up and Development Advice • Application Effeteness Solutions • Change Management Solutions • Continuity Solutions • Identity management • IT Asset Management Solutions • Program Management Solutions • Security and Privacy Solutions • Corporate Governance • Event Response • Financial Risk • Operational Risk
Limited Consulting/ Ad Hoc Projects Full In-House Strategic Sourcing Specialized SkillsArrangement Co-Sourcing Single Audit Director Model Recurring Co-Sourcing Partial Outsourcing Full Outsourcing Strategic Partnering Internal Audit An outsourcing provider should have the flexibility to tailor the delivery options to meet the needs of your organization in the short-term and long term. Some common outsourcing options are listed below. • Ad hoc consulting work and execution of internal audit projects on an “as needed” basis. • Examples: transformation/benchmarking, facilitation, IA training, quality assurance reviews, selected internal audits, loan of personnel. • Internal Audit leverages specialized skills/knowledge from outsource provider for specific projects. • Examples: IT, Fraud, International, Self Assessment. • Internal Audit Director manages internal audit function and reports to CFO and Audit Committee. • Director is responsible for implementing the internal audit plan using outsource partner resources to execute. • Internal Audit department teams with outsource partner for resources on regular, ongoing basis, generally spanning multiple years. • Internal Audit partners with outsource partner to manage and execute the IA function, sharing all knowledge, proprietary tools, methodologies, and training, as well as providing substantial amount of resources on a recurring, long-term basis.
Business Risk • Corporate Governance • Enterprise Risk Management • Sarbanes-Oxley • Self-Assessment • J-SOX • Financial Risk • Basel II Services • Credit Risk • Trading & Commodities Risk • Treasury Risk • Risk Technology Solutions (RTS) • Discoveri • Dynamic Policy • Protiviti's Governance Portal • Resolver Suite • Event Response • Fraud Risk Management • Financial Investigations • Litigation Consulting • Operations Risk • Capital Projects & Construction Risk • Finance Process Effectiveness • Financial Reporting Risk Services • Regulatory Risk Consulting • Revenue Risk Services • Spend Risk Solutions • Supply Chain Risk Management
Behind the Enron Scandal • In March 2002, the US Justice Department indicted Arthur Andersen for obstruction of justice. Within 2 weeks, many of Andersen’s Fortune 100 Clients had announced going with another firm. • Protiviti launched in May, 2002 with approximately 700 ex-Arthur Andersen employees that had just lost their jobs as a result of the Enron scandal • In June 2002, jurors convicted Andersen for obstructing justice by destroying Enron Corp related documents • The conviction forced Andersen out of business, as the remaining 28,000 employees (two thirds of their workforce) were forced to lose their jobs and the firm was suspended from practicing audit • Three years later the Supreme Court overturned the ruling saying Andersen was convicted without proof that its shredding of documents was deliberately intended to undermine the SEC’s investigation of Enron
The Protiviti Story • Protiviti’s launch in 2002 with only 700 employees was the result of an employment agreement between Robert Half International (“RHI”) and Arthur Andersen • Protiviti was formed as a wholly-owned subsidiary of RHI (a $3.3 billion dollar public company specializing in staffing) and today employs more than 2,200 professionals in more than 50 offices in the Americas, Asia-Pacific and Europe • Protiviti and the RHI divisions refer each other to clients for new business • RHI staffs the appropriate contractors to augment Protiviti engagement teams • RHI and Protiviti use the same shared services for Accounting, IT, Operations, etc.
Sarbanes-Oxley Overview • Section 301: Publicly traded companies are required to establish a procedure for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. • Section 302: Management must evaluate the design and operational effectiveness of its disclosure controls and procedures quarterly (disclosure controls include internal controls). • Section 404: Management is required to file an internal control report with their annual report, stating – • Management’s responsibilities to establish and maintain adequate internal controls and procedures for financial reporting • Management’s conclusion on the effectiveness of these internal controls at year end • That the company’s public accountant has attested to and reported on management’s evaluation of internal controls over financial reporting • Section 906: Expressly imposes criminal penalties if the information contained in the periodic report does not fairly represent, in all material respects, the financial condition and results of the operations of the issuer.
Our Approach/Methodology Financial Reporting Requirements Process Risks Components of Internal Control Reporting Internal Control Report Entity-Level Controls Control Design Control Improvements Relevant Processes Control Operation PHASE I PHASE II PHASE III PHASE IV Set Foundation Assess Current State and Identify Relevant Processes Document Design and Evaluate Critical Processes and Controls Design Solutions for Control Gaps Implement Solutions for Control Gaps Report Protiviti’s Approach Continuous Improvement Project Management Knowledge Sharing Communication IT Organization and Structure IT Entity-Level Control Evaluations IT Controls IT Control Considerations IT Process Level Control Evaluations SarbanesDiagnostics Process Management (SarbOx PortalTM) Tools & Technology Assessment Management (The Self AssessorTM) Knowledge Management
Our Approach: Detailed Project Steps Set Foundation PHASE I: Assess Current State and Identify Relevant Processes PHASE II: Document Design and Evaluate Critical Processes and Controls • Organize project • Develop project plan • Agree on approach/reporting requirements • Perform entity-level controls assessment • Select financial statement elements, processes and locations • Documentation standards – level of depth, assertions and control objectives • Inventory existing control documentation • Testing approach • Document processes • Source risks (what can go wrong?) • Document controls • Assess design • Validate operation PHASE III: Design Solutions for Control Gaps PHASE IV: Implement Solutions for Control Gaps Report • Evaluate nature of identified deficiencies • Decide deficiencies requiring correction • Design and document improvements • Build improvements • Roll out improvements • Test improvements • Update policies and procedures • Provide training • Measure performance • Formulate conclusions with respect to internal controls over reliability of financial reporting • Provide results and documentation to external audit for attestation process • Conclude attestation process • Write internal controls report
FS Prioritization Process: Selecting Financial Reporting Elements Factors to consider in determining key financial reporting elements: • Materiality of financial statement items • Degree of volatility of the recorded amount over time • Degree of subjectivity used in determining account balance • Susceptibility to error or omission as well as loss or fraud • Complexity of calculation Additional factors to consider might include the following: • Velocity of account - the speed of transactions through the account • Nature and types of errors and omissions that could occur, i.e., “what can go wrong” • Volume, size, complexity and homogeneity of the individual transactions processed through a given account or group of accounts • Disclosures / footnotes in financial statements • Prior year external auditor management letter comments
Close Process & Consolidation Managing Cash and Investments AR& Collections Order Management IT Revenue Reserves Borrowings Employee Master File Maintenance Tax Compliance Budgeting Financial Statement Reporting & Disclosures Bad Debt Allowances Amortize Prepaid & Intangible Assets FS Prioritization Process: Risk Map • Processes • Revenue Processes: • Order Management • Shipping and Billing • Accounts Receivables and Collections • Allowances • Revenue Reserves • Expenditure Processes: • Purchasing • AP & Cash Disbursement • Asset Management • Amortize Prepaid and Intangible Assets • Manage Travel and Entertainment • Conversion Processes: • Inventory Costing & COGS • Inventory Reserves • Inventory Management • Financial Reporting: • Close Process and Consolidation • Financial Statement Reporting and Disclosure • Budgeting, Forecasting and Management Reporting • HR and Payroll: • Employee Master File Maintenance • Payroll and employee benefit liabilities • Incentive Compensation • Treasury: • Managing Cash and Investments • Borrowings • Equity: • Stock Compensation and Administration • Taxes • Income Tax Provisions and Compliance • Information Technology • IT General Controls High Purchasing AP& Cash Disbursements Payroll& Employee Benefit Liabilities Asset Management Inventory Costing & Cost of Sales Shipping and Billing Significance Inventory Management Stock Compensation & Administration Incentive Compensation Inventory Reserves Manage Travel & Entertainment Expenses Low Low Risk High
The Financial Statement Risk Assessment Process“Technology Coverage”
Our Approach: Linkage to IT The IT work builds on these steps Select Priority Elements • Select the priority accounts and disclosures • Consider significance to financial reporting and risk of misstatement Document Processes • Document the transaction flows that materially impact the priority financial elements Source Risks • Use financial reporting assertions to source “what can go wrong” within the processes • What are the risks? Document Controls • Document entity controls (“tone at the top”) • Document the controls at the source of the risk (preventive) or downstream in the process (detective) • What are the controls? • Who owns the controls? Assess Design • Assess effectiveness of controls design at entity and process levels • How is the controls design rated? Validate Operation • How are the controls performing? Report • Conclude • Communicate • Report
IT General Controls • Program development • Program changes • Program operations • Access control • Control environment • Application Controls • Accuracy • Completeness • Validity • Authorization • Segregation of duties • etc... Our Approach: Linkage to IT Source: IT Governance Institute – IT Control Objectives for Sarbanes-Oxley, April 2004 Significant Accounts in the Financial Statements Significant Accounts in Financial Statements Balance Income Balance Income SCFP Notes Other SCFP Notes Other Sheet Statement Sheet Business Processes / Classes of Transactions Business Processes / Classes of Transactions Process A Process B Process C Process A Process B Process C Financial Applications Application A Application B Application B IT Infrastructure Services Database Operating System Network
Our Approach: ITGC Scope Objectives • Development (SDLC) and Change Management • Acquire or Develop Application Software • Acquire Technology Infrastructure • Install and Test Application Software and Technology Infrastructure • Manage Changes • Access and Security • Ensure Systems Security (Physical, Network, Operating System, Database and Application levels) • Manage the Configuration Operations • Manage Problems and Incidents • Manage Data • Manage Operations • Define and Manage Service Levels • Manage Third-party Services
Our Approach: ITGC Scope Applications
IT General Controls • Program development • Program changes • Program operations • Access control • Control environment • Application Controls • Accuracy • Completeness • Validity • Authorization • Segregation of duties • etc... Application Controls Source: IT Governance Institute – IT Control Objectives for Sarbanes-Oxley, April 2004 Significant Accounts in the Financial Statements Significant Accounts in Financial Statements Balance Income Balance Income SCFP Notes Other SCFP Notes Other Sheet Statement Sheet Business Processes / Classes of Transactions Business Processes / Classes of Transactions Process A Process B Process C Process A Process B Process C Financial Applications Application A Application B Application B IT Infrastructure Services Database Operating System Network