300 likes | 420 Views
Reliable Control Self-Assessment. James Brady Vorhies (“Brad”) Dallas CPA Society’s Hilton Anatole Continuing Education Day May 26, 2011. Course Objective. To convince attendees of the advantages of: Adopting “reliable” control self-assessments versus attribute testing.
E N D
Reliable Control Self-Assessment James Brady Vorhies (“Brad”) Dallas CPA Society’s Hilton Anatole Continuing Education Day May 26, 2011
Course Objective • To convince attendees of the advantages of: • Adopting “reliable” control self-assessments versus attribute testing. • Obtaining “ongoing” assurance versus one-time assurance from existing internal audit investment.
Biggest Payback • Is going to be for SOX 404 compliant companies • Because they will be able to replace management’s attribute testing of each key control: • With ongoing key control monitoring, and • With management testing of the key control process
Next Biggest Payback • If you develop the infrastructure then you can monitor all of the company’s key controls • Examples: • Business Continuity key controls • Debt covenant compliance certifications • Any area’s key controls • GRC Application?
SOX Testing Current State • Key financial controls are generally attribute tested requiring • Annual scoping • Flowcharts and/or narratives • Test case per key control • Sample selection per key control • Attribute test per key control
Attribute Testing Approach Challenges • Key control attribute testing requires audit skills to perform • Difficult to embed testing in management’s process • No ongoing assurance • Attribute testing is seen as a non value add duplicative cost
Current SOX Cost Saving Strategic Initiatives • Scoping to decrease controls tested • Automation of key control reviews • Increase reliance upon management’s internal testing
New SOX Compliance Strategy • To both decrease cost and improve management’s controls monitoring • Develop reliable key control self-assessments • Create an ongoing management monitoring process • Embed responsibility with control owners and responsible management
Transformation: SOX Testing to Controls Monitoring • Transformation is accomplished by creating “reliable” self-assessments that replace control attribute testing • AS 5 allows management to implement their own process – only requirement is that it is “effective” • SEC guidance addresses self-assessments and requires they be “reliable” • COSO’s vision is controls monitoring
Transformation Advantages Ongoing assurance – right things get done right Self-documenting Embedded process owned by management Better employee understanding & acceptance of controls Self-assessments are great training aids Better visibility – all key controls on an automated timeline Ensures tasks get completed – regardless of employee status Leverages off of current investment – start with key controls Reduced compliance cost Minimal attribute testing Frees audit resources Greater coverage - GRC framework for control assurance?
Evolution: Testing to Monitoring – EFH’s Story • 2001 - Ongoing manual KAC self-assessments program (implemented - December 2001) • 2004 - First SOX 404 Opinion: • Deloitte RCTS application • Control owner - VP/manager who had key controls tested • Annual scoping and testing effort • For each key control an individual test plan, sample and attribute test • Maintained narratives, flowcharts and other process documentation • Sample size ~40/roll forward all high risk ~10 • 2006 - SOX 404 Opinion - Combined • Automated key controls self-assessments • Control owner – owns, executes and self-assesses the key control • Abandoned test plans – key controls documented in CMT • Key controls mapped to significant accounts & relevent assertions • Limited sampling and attribute testing • Test the key controls process (key control owners) • Attribute test high volume transactions (easier) • Journal entries • Account Reconciliations • Key Control sample size ~40/roll forward ~None
Reliable Self-Assessments 3 Step process • Must construct reliable self-assessment process • Must monitor self-assessment process • Must test self-assessment process
Reliable Self-Assessments Step 1 • Must construct reliable self-assessment process • Required components • Required Training • Required Company cultural change • Online real-time self-assessment tool necessary to improve timeliness of assurance • But manual process can be “reliable”
Necessary Components for Reliable Self-Assessments • Quality standards • Defines done right • Derived from management’s control objectives • Evidence standards • Sufficient competent – reliable evidence • Insufficient evidence, it didn’t happen • Very similar to what you are currently using • Frequency of review • Workday due – same for all periods (i.e. WD 3) • Calendar due date - for specific period • Based upon how often management wants assurance • Intelligent review and approval
Intelligent Review and Approval • High risk - must be reviewed and approved • Low/Medium risk - answer “Yes” & self approve • Anytime answer “No”, must: • Document exception explanation • Document action plan • Forward for review and approval • Evaluate as a deficiency (financial controls)
Intelligent Review and Approval - continued • Required review and approval if – High Risk: • New key controls • Significant changes in key control(s) • New control owner • Issues with key control completion
Key Control Exception = Failure to meet a: • Quality standard, • Evidence standard, • Or, due date established in the standard < May not be a deficiency • May not create a potential for misstatement if failure was only to achieve a quality or evidence standard • No exceptions is the theoretical goal
Challenge – No Transactions During Period • More efficient to say “No Occurrence” than to report a key control exception • So answers for what the control standard achieved would be: • Yes • No • No Occurrence • Have to provide an explanation in comment field (business rule should require comment) • Important for backup personnel who “own” the same control as the primary control owner • Can apply to almost any control owner’s control
Reliable Self-Assessments Step 2 • Must monitor self-assessment process • Annual review of all key controls • Discuss with control owner • Ensure understand theirkey controls • Control standards written right • Evidence exists as stated • Comments appropriate • Process advantage – control owner understanding of their key controls
Reliable Self-Assessments Step 3 • Must attribute test self-assessment process • Test to determine if control owners complied with process requirements and that the process is reliable • Interim testing of about 40 control owners and all of there key controls • Also, attribute test high volume areas • Journal entries • Account reconciliations
Self-Assessment Advantages over Attribute Testing • Ongoing assurance • Cost savings • Fewer test samples and attribute tests • No test cases to update (must maintain KCR’s) • Less need to maintain narratives, flowcharts and control matrix (matrix maintained in KC’s application) • Insignificant cost to add a new key control to monitor • Ops – add a new KCR
Self-Assessment Challenges • Requires executive management support • If management isn’t testing now – they may not want to monitor • You will have to convince your Auditors • Requires fundamental change in company culture • Must become an embedded part of normal job responsibilities • Just signing off is falsifying company records • May need to pay for an automated process? • Difficult to cost justify
Internal Audit – Controls Monitoring? • EFH’s Internal Audit function primarily operates on a pre-SOX basis • Review the SOX key controls along with all other key controls during their ongoing audits • Audit reviews the financial controls compliance department’s annual testing • Could Internal Audit determine an area’s key controls and then monitor them via control self-assessments?
Internal Audit’s Transformation from One-time to Ongoing Assurance • Goal - Enable Internal Audit achievement of ongoing assurance and risk monitoring • Enable ongoing monitoring of the company’s key operational and compliance controls • Decrease the number and cost of “New” audits • For essentially the same investment as required for a one-time internal audit with one-time assurance.
Internal Audit’s Payback Challenge “New” Audits Current State Future State Perform same “New” audit Perform same audit and reporting steps THEN - IA helps the area’s management develop key control self-assessments for each of the area’s identified key controls. Obtain ongoing assurance for essentially the same investment Prevent future “New” audits and full “New” audit cost • “New” Audits because of normal audit cycle and changes that occur • High “New” audit investment • During each “New” audit • Spend time and resources determining controls and recommendations to implement missing or to fix broken controls • Perform follow-up review • Only obtain one-time assurance for investment
Enable Ongoing IA Client Engagement & Assurance Current State Future State IA stays engaged with the area’s management on an ongoing basis. IA’s existing role as internal consultants will be greatly augmented IA’s independence is not affected For essentially the same investment as for a one-time audit with one-time assurance obtain ongoing assurance • Assurance is only obtained from a one-time follow-up review to ensure that internal audit’s recommendations were appropriately implemented
Follow-up Reviews Current State Future State Follow-up reviews for “monitored areas” will be used to: Review each area’s key controls and self-assessment reports. Ensure that the right key controls are Identified Appropriately monitored Designed and operating effectively. An audit universe risk based approach can still be used to define the frequency of follow-up reviews for monitored areas • A future full size and full cost repeat audit effort is required when the area hits the audit cycle again
Challenges to IA Monitoring Approach • Value proposition decreases if company doesn’t have “New” audit syndrome • Must sell value to executive management • New “cost” (non incremental) to areas being monitored • Determine if payback is there: • Mitigate risk by “pilot project” • Determine success of monitoring approach • If successful – rollout