1 / 58

Documenting & Testing Controls

Documenting & Testing Controls. The Institute of Internal Auditors 2004 Program on Sarbanes-Oxley January 13, 2004. Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation. Agenda. 1:00 - 1:05 Introduction & Overview- Dave Richards

helene
Download Presentation

Documenting & Testing Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Documenting & Testing Controls The Institute of Internal Auditors2004 Program on Sarbanes-Oxley January 13, 2004 Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation

  2. Agenda 1:00 - 1:05 Introduction & Overview- Dave Richards 1:05 - 1:15 Process Universe & Documentation - Bob Biancalana 1:15 - 1:25 Design Documentation & Evaluation - Lynn Fountain 1:25 – 1:35 Documentation & Testing - Bruce Caplain 1:35 - 1:45 Remediation – When Testing is Done - Greg Neely 1:45 - 1:50 Break 1:50 - 2:25 Questions & Answers - Panel 2:25 - 2:30 Concluding Remarks - Dave Richards

  3. Key Documentation Issues 1. Approach 2. Processes 3. Risks 4. Controls 5. Design assessment 6. Key Controls to be tested

  4. Key Documentation Issues 7. Test plans 8. Test results 9. Identification of control deficiencies 10. Corrective action plans 11. Re-testing 12. Assertion statements

  5. Agenda 1:00 - 1:05 Introduction & Overview- Dave Richards 1:05 - 1:15 Process Universe & Documentation - Bob Biancalana 1:15 - 1:25 Design Documentation & Evaluation - Lynn Fountain 1:25 – 1:35 Documentation & Testing - Bruce Caplain 1:35 - 1:45 Remediation – When Testing is Done - Greg Neely 1:45 - 1:50 Break 1:50 - 2:25 Questions & Answers - Panel 2:25 - 2:30 Concluding Remarks - Dave Richards

  6. Process Universe and Documentation Bob Biancalana, CIA, CPA, CISADirector of Internal Audit Services Caremark Rx, Inc.

  7. Define the 404 Process Universe Documenting the 404 Processes Process Universe and Documentation

  8. Process Universe and Documentation Define Correct “Auditable Process” Level Identification of Total Process Universe Define “Financial Reporting” Using COSO Eliminate and Prioritize

  9. Entity Wide Bridge Task/Procedure Level Policies & Regulations Key Processes & Internal Controls Training Manuals Determining the Boundaries 8

  10. Determining the Boundaries Caremark Entity Wide Policies • Functional Units • Control Units • Auditable Processes • Sub-Processes • Tasks (Procedures) SOX 302 Quarterly Internal Control Certifications SOX 404 Documentation of Processes, Risks and Controls Training Manuals

  11. Eliminate and Prioritize

  12. 404 Universe by COSO Category

  13. Process Documentation Facilitates risk identification and assessment • Begins with the end in mind • Focuses on quality concept of inputs, processing and outputs • Integrates operational, system and financial reporting flows

  14. ProcessDocumentation

  15. Process Documentation

  16. Process Documentation

  17. CAAT and GAAP Technique • For each data transfer point in our process map, we should consider the following causes of error: The data is… • Incomplete • Inaccurate • Unauthorized • Untimely • Also, for the data transfer point where data is input into the G/L, we should consider the risk that GAAP is not applied correctly. CAAT

  18. Financial Assertions Through utilization of the CAAT technique and a consideration of GAAP, we will identify the potential causes of errors related to the financial assertions:

  19. Key Points • Point of contention is definition of “financial reporting” • Go beyond ‘‘just compliance’’ • Define and determine unique niche • Don’t create redundant documentation • Have long-range strategy

  20. Agenda 1:00 - 1:05 Introduction & Overview- Dave Richards 1:05 - 1:15 Process Universe & Documentation - Bob Biancalana 1:15 - 1:25 Design Documentation & Evaluation - Lynn Fountain 1:25 – 1:35 Documentation & Testing - Bruce Caplain 1:35 - 1:45 Remediation – When Testing is Done - Greg Neely 1:45 - 1:50 Break 1:50 - 2:25 Questions & Answers - Panel 2:25 - 2:30 Concluding Remarks - Dave Richards

  21. Design Documentation &Evaluation Lynn Fountain, CPA, MBA Sr. Manager Risk Assessment & Audit Services Aquila, Inc.

  22. Getting Started • Tools • Information repository • Financial statement linkage • Ongoing attestation • Process classification scheme • Define business cycles • Define processes & sub-processes

  23. Cycles/Processes

  24. Documentation Requirements

  25. Risk Matrix Identify relevant financial statement/reporting risks Identify operational or compliance risks that have key financial links Control Points Key Controls Ensures propriety and effective management of process Secondary Controls Support a key control Are supported by other controls in the process Documentation Requirements

  26. Risk Control Matrix ORGANIZATION : Corporate 10.05.01 Accounts Payable Process Owner: John Doe Process Effectiveness: Not Evaluated Accounts Applicable: 1000 Assets: 1110 Cash & Cash Equivalents: 1111 Cash, 2000 Liabilities: 2130 Accounts Payable: Assertions Evaluation Access to Assets Effective Authorization Not Evaluated Completeness and Accuracy Effective Presentation and Disclosure Effective Risks Design Operation Applications Risk Effective Not Effective Fraud Effective Effective Payment Accounting Ineffective Not Evaluated Payment Accuracy Effective Effective Payment Authorization Ineffective Not Evaluated Vendor Maintenance Effective Effective CONTROL LIST: Specific/Preventive/Manual A standard payment request form is utilized to ensure consistent information is conveyed when a payment is processed A/P provides Treasury with a copy of daily Detail Report in order to verify integrity and Completeness of the batch file uploaded to Integrity Monitoring/Detective/Manual Access to each page and function within People Soft is managed and setup by System Administration in order to limit user access as appropriate by need (KEY) Pervasive/Preventive/System Access to make changes (i.e. address, bank account, etc.) to a vendor is limited to the System Administrator (KEY)  Any coding errors identified by the system are kicked out to a coding error queue where the image of the voucher is saved, and the voucher is put on “recycle”. A/P reviews this log daily to ensure timely resolution (KEY)

  27. Evaluating Process Design • Sequence of evaluation • Individual control design • Prevention/detection of material misstatement • Collective control design • Reasonable assurance “collective” controls reduce risks to an acceptable level • COSO elements • Process control environment, risk assessment & information/communication • Overall process design

  28. Work Program – Design Effectiveness

  29. Individual Control Considerations • Existence • Design • Attributes • Value of individual control • Placement of control in the process • Process efficiency • Experience of individuals executing the control • Preventive/Detective • System/Manual

  30. Collective Control Considerations • Primary vs. secondary • Detective vs. preventive • System vs. manual • Overall risk mitigation impact • Monitoring controls • Past control variances • Reporting of control practices

  31. COSO Element Considerations • Control Environment • Roles & Responsibilities • Policies & Practices • Risk Assessment • Existence of process objectives • Availability of resources • Information & Communication • Information Technology • Reporting and communication

  32. Overall Process Design • Final Considerations • Efficiency of individual controls • Risk mitigation impact of collective controls • Existence of process COSO elements • Effective • No significant design gaps noted in any sequence of analysis that may result in material misstatement • Ineffective • Potential design gaps may result in a material misstatement

  33. Agenda 1:00 - 1:05 Introduction & Overview- Dave Richards 1:05 - 1:15 Process Universe & Documentation - Bob Biancalana 1:15 - 1:25 Design Documentation & Evaluation - Lynn Fountain 1:25 – 1:35 Documentation & Testing - Bruce Caplain 1:35 - 1:45 Remediation – When Testing is Done - Greg Neely 1:45 - 1:50 Break 1:50 - 2:25 Questions & Answers - Panel 2:25 - 2:30 Concluding Remarks - Dave Richards

  34. Documentation & Testing Bruce Caplain, CPADirector of Auditing John Hancock Financial Services, Inc.

  35. Documentation & Testing • Precursors to testing • Communicating testing concepts • Performing the tests • Documentation your testing • Lessons learned

  36. Documentation & Testing • Precursors to Testing: • Executive support • Knowledge of the Sarbanes process • Management owning the process • Well documented controls • Ramifications of non-compliance

  37. Documentation & Testing • Communicating testing concepts • Teaching non-auditors to audit • Training, training, and more training • Tools, tools, and more tools • Evidence of control vs. testing controls

  38. Documentation & Testing • Performing the tests: • What is the objective of your test? • Who should test? • Which controls should you test? • How detailed should your testing be? • How large is the sample size? • What period should it cover?

  39. Documentation & Testing • Document your testing • Ideal vs. acceptable • System vs. manual • What needs to be evidenced • Testing documentation tool

  40. Documentation & Testing • Lessons Learned • Standardization • Dry run attestation before due date • Training, training, training, training • Tools, tools, tools, tools • Follow up • Biggest key to success is executive support

  41. Agenda 1:00 - 1:05 Introduction & Overview- Dave Richards 1:05 - 1:15 Process Universe & Documentation - Bob Biancalana 1:15 - 1:25 Design Documentation & Evaluation - Lynn Fountain 1:25 – 1:35 Documentation & Testing - Bruce Caplain 1:35 - 1:45 Remediation – When Testing is Done - Greg Neely 1:45 - 1:50 Break 1:50 - 2:25 Questions & Answers - Panel 2:25 - 2:30 Concluding Remarks - Dave Richards

  42. Remediation – When Testing is Done Greg Neely, CIA Senior Director Operations ReviewSysco Corporation

  43. Remediation – When Testing is Done • Overview of the work completed thus far • Mapped out and identified the processes • Determined the materiality of each process • Completed testing the processes and the internal controls • Deal with the gaps and shortfalls

  44. Dealing with the Gaps and Shortfalls • Controls Fail • What is the materiality of the Control

  45. Dealing with the Gaps and Shortfalls Controls should have been rated a level of importance The control owner indicates if the test passed or failed

  46. Dealing with the Gaps and Shortfalls • Controls Fail • What is the materiality of the control • Are there compensating controls in place (If no compensating control, put the control in place and retest) • How does this affect other Sarbanes-Oxley Certifications (302)

  47. Dealing with the Gaps and Shortfalls • Missed a Process • Determine if the process and related controls are material • If material, document the process and related controls • Perform testing

  48. Dealing with the Gaps and Shortfalls • Acquisitions • Determine if the acquisition is material • Develop a standard template of processes and controls and provide this template to the acquired entity • Over test if needed

  49. Dealing with the Gaps and Shortfalls • Over testing the work performed • Does the testing need to be verified • Who performs the over test • When over testing identifies errors • How do you document over testing

  50. Dealing with the Gaps and Shortfalls Document over testing procedures and conclusions reached Attach a copy of the worksheet over tested so it cannot be altered

More Related