280 likes | 424 Views
Sarbanes-Oxley Act of 2002. The Act was signed into law on July 30, 2002Title I Public Company Accounting Oversight BoardTitle II Auditor IndependenceTitle III Corporate ResponsibilityTitle IV Enhanced Financial Disclosures Title V Analyst Conflicts of InterestTitle VI Commission Resou
E N D
1. Introduction of Panel Members
2. Sarbanes-Oxley Act of 2002 The Act was signed into law on July 30, 2002
Title I Public Company Accounting Oversight Board
Title II Auditor Independence
Title III Corporate Responsibility
Title IV Enhanced Financial Disclosures
Title V Analyst Conflicts of Interest
Title VI Commission Resources and Authority
Title VII Studies and Reports
Title VIII Corporate and Criminal Fraud Accountability
Title IX White Collar Crime Penalty Enhancements
Title X Corporate Tax Returns
Title XI Corporate Fraud and Accountability
3. Title II - Auditor Independence Regulates non-audit services provided to audit clients:
Bookkeeping, Financial IS Design & Implementation, Valuations, Actuarial Services, Internal Audit, Management Functions, HR
Actuarial Services allowed under 2000 rules generally are still allowed but cannot (1) audit own work, (2) perform management functions, (3) act as an advocate
Requires pre-approval of non-audit services .
Audit Partner rotation after five years .
Prohibits auditors from joining management within one year
Certain matters must be reported to audit committee
Audit Partner compensation may not be tied to non-audit services sales
4. Section 302 – Requires the CEO and CFO To attest that they have reviewed the annual and quarterly reports and the reports do not contain any materially false or misleading statements, fairly represent the financial condition and results.
To indicate their responsibility for establishing and maintaining internal controls, have designed such internal controls to ensure that material information will be made know, have evaluated the effectiveness of the internal controls, and present their conclusions in the report.
To disclose to the auditors and the audit committee all significant deficiencies in the design or operation of the internal controls and any fraud that involves any management or employee with significant roles in the internal controls.
To indicate any significant changes in controls including any corrective actions.
5. Section 404 – Requires the SEC to Prescribe Rules Requiring management to annually state their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
Requiring an assessment of the effectiveness of the internal control structure and procedures.
Requiring the auditor to attest to and report on the assessment that management made.
6. Section 404 Final Rule Provisions Section 404 Annual Assessment
Section 404 Auditor Attestation
Section 302 Quarterly Certifications
7. Section 404 Final Rule Provisions: Section 404 Annual Assessment Compliance dates:
Most domestic clients: for fiscal years ending on or after June 15, 2004.
Foreign private issuers: for fiscal years ending on or after April 15, 2005.
Definition of “internal control over financial reporting.”
Encompasses internal controls addressed in the COSO Report that pertain to financialreporting objectives.
Includes controls over safeguarding assets.
Management’s report to include statements of:
Management’s responsibility for establishing and maintaining adequate internal controlover financial reporting.
Management’s assessment of the effectiveness of such controls.
Identification of the framework used to evaluate effectiveness.
Attestation made by external auditor.
COSO is an accepted standard for management’s assessment.
See graphic on next page
8. The Five Components under the COSO Framework
9. Section 404 Final Rule Provisions: Section 404 Annual Assessment Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness. Inquiry alone will generally not provide an adequate basis for assessment.
Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness.
Any material weakness in internal control over financial reporting must be disclosed by management in its assessment. Management is also precluded from reporting that internal control over financial reporting is effective if a material weakness is detected.
10. Section 404 Final Rule Provisions: Section 404 Annual Assessment Guidance on controls subject to management’s assessment:
Controls over initiating, recording, processing and reconciling accounts, transactions, and disclosure and related assertions in financials
Controls related to the initiation and processing of non-routine and non-systematic transactions
Controls related to the selection and application of appropriate accounting policies
Controls related to the prevention, identification, and detection of fraud
Reiteration of guidance regarding auditor independence:
Auditors may assist management in documenting internal controls.
Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor.
11. Section 404 Final Rule Provisions: Auditor Attestation The registered public accounting firm’s attestation report must be filed as part of the annual report.
Reiteration of PCAOB’s responsibility for setting 404 attestation standards for registered public accountants
Interim adoption of auditing standards in existence as of April 16, 2003
PwC’s position: the attestation exposure draft (AT501) issued by ASB (and not adopted by PCAOB) provides clarification of existing standards and we will use it as interim guidance
Scope of auditor’s work will include independent testing of controls as well as testing of management’s assessment process
Scope of controls testing will include testing over areas involving judgements and estimates
12. Section 404 Final Rule Provisions: 302 Quarterly Certifications No change in requirement for Section 302 quarterly evaluation of disclosure controls and procedures (DC&P) and disclosure of conclusions regarding effectiveness of DC&P.
Quarterly disclosure in 302 certification of material changes in internal control over financial reporting rather than repetition of Section 404 annual assessment.
Evaluation date is as of the end of the period covered by the report.
Section 302 certifications filed as exhibits to all applicable SEC reports
There is latitude for issuers in determining which internal controls over financial reporting are included in the Company’s inventory of disclosure controls and procedures under Section 302.
Regarding disclosure controls and procedures versus internal controls over financial reporting: The rule states that while the two types of controls are similar in nature, neither one is a complete subset of the other. Disclosure controls will include the components of internal control over financial reporting that reasonably assure financial statements are prepared in accordance with GAAP, but may not include other components of internal control over financial reporting such as safeguarding of assets. The rule gives the example of the control of dual signatures on checks that, while part of internal control over financial reporting, may not necessarily be part of disclosure controls and procedures of a particular company.
Regarding disclosure controls and procedures versus internal controls over financial reporting: The rule states that while the two types of controls are similar in nature, neither one is a complete subset of the other. Disclosure controls will include the components of internal control over financial reporting that reasonably assure financial statements are prepared in accordance with GAAP, but may not include other components of internal control over financial reporting such as safeguarding of assets. The rule gives the example of the control of dual signatures on checks that, while part of internal control over financial reporting, may not necessarily be part of disclosure controls and procedures of a particular company.
13. Current Situation Understanding the 404 Attestation
Status of Compliance with Sections 302 and 404
Key Challenges
14. Understanding the 404 Attestation: Comparison to Audit of Financial Statements Audit of Financial Statements
Understanding and consideration of internal controls only to develop the audit approach
Overall objective is the rendering of an opinion on the financial statements, not to opine on internal controls
Internal control reports have been very rare in practice and are the subject of different professional standards 404 Attestation
100% controls-based approach
Must evaluate and test controls across business and functional areas to opine on effectiveness (broad and deep) over financial reporting.
Lack of errors, historically,in financial statements is notde-facto evidence unto itself,of an appropriate internalcontrol over financial reporting.
15. Understanding the 404 Attestation – Management Documentation Under the AT 501 Exposure Draft, Management Provides Documentation of the Following:
Significant controls and control objectives, including:
Controls, including IT general controls, on which other controls are dependent
Anti-fraud programs and controls
Controls over the period-end financial reporting process
Locations and business units included in assessment
Review and evaluation of design effectiveness
Assessment of operating effectiveness including tests
Evaluation of control deficiencies to determine whether they aresignificant deficiencies or material weaknesses
Written assertion about effectiveness of controls over financial reporting
Communication of findings to auditor and audit committee
16. Status of Compliance with Sections 302 and 404 Many 302 efforts center largely around executive management and disclosure committee
Supported by cascades of representation letters
Varying levels of detailed evidence of design/operating effectiveness
Varying methodologies in basis for self-evaluation
Existing documentation of design of controls required underSection 404:
Frequency of updates for changes in systems or business processes varies
Not always modified for new reporting, accounting, and disclosure developments
Level of required review and documentation is more rigorous and complex than many companies anticipated.
Companies need the extra time gained from delay in implementation of Section 404 requirements in order to comply.
17. Key Challenges: Overall Process Documenting and evaluating design of controls vs. testing controls
Who – management, internal auditor, external auditor, consultant?
What – entity vs. activity level controls?
How – periodic vs. ongoing?
When – interim vs. year-end?
Where – which entities/locations are in scope?
Creating an evaluation planning mindset using materiality, including qualitative criteria
Mapping controls to significant accounts, classes of transactions, disclosures and vice-versa
Planning efforts at subsidiaries/divisions based on relative significance
Determining how service providers impact the evaluation
18. Key Challenges: Overall Process Reporting relative control impacts to audit committee
Reporting 404-control issues publicly, with appropriate perspective
Determining impact of material weaknesses on quarterly certifications
current and previously filed
Creating an internal control reporting process that is built into the control structure, including tools such
Documentation aids
Dashboards
Compliance monitoring tools
Optimizing the efficiency of internal control effectiveness reporting
19. Key Challenges: Finding a Common Language to Discuss “Quality of Controls” Needed by audit committees to evidence oversight
Expected by regulators
Important that technical and judgmental elements of final assessment are communicated and understood
To be effective, audit committees will require:
Perspective to sort out material, “significant” and lesser deficiencies
Definitions of materiality that are reconciled by management from planning through execution, to conclusion
Consistent processes to summarize, categorize, assess, discuss and conclude on relative control issues
Protocols developed in advance to govern the execution ofthe above processes
20. Overview of Actuarial Process –Illustration of P/C Reserving One of the best ways to get started with planning/scoping is to create a process map of the company's reserving process. from the source data, to the calculations, interactions with other departments, to the final actuarial estimates, and to the meetings with finance and other executives as the final reserves are decided. once the process is mapped out, you can begin to see the areas where different points of risk emerge -- in a cracks and crevices -- when things don't always work out as smoothly as you would have liked.One of the best ways to get started with planning/scoping is to create a process map of the company's reserving process. from the source data, to the calculations, interactions with other departments, to the final actuarial estimates, and to the meetings with finance and other executives as the final reserves are decided. once the process is mapped out, you can begin to see the areas where different points of risk emerge -- in a cracks and crevices -- when things don't always work out as smoothly as you would have liked.
21. Control Environment – Potential Elements Corporate values and code of ethics
Established, widely communicated, management and staff “walks the talk”
Clearly defined roles and responsibilities
Corporate organization structure for reserving actuary
Can a conflicting reserve opinion be heard by CFO, CEO, Chairman, Audit Committee?
Effectiveness of staff and management
Familiarity, understanding and training of Audit Committee members with reserving topics.
Mention/reinforce how all 5 components of the control framework need to be present for a control to be considered effective.
We will be walking through some considerations for each of the 5 components of the COSO frameworkMention/reinforce how all 5 components of the control framework need to be present for a control to be considered effective.
We will be walking through some considerations for each of the 5 components of the COSO framework
22. Risk Assessment – Potential Elements Is claim and premium coding valid and accurate?
Do systems correctly employ coded transactions to produce reserving reports
Schedule P, Actuarial reserving triangles, etc.
Have all appropriate actuarial methods been employed?
Are all corporate initiatives considered in reserve projections?
Underwriting, pricing, claims, expense and other initiatives.
Has external environment events been considered in reserve projections?
Inflation trends, legislative activity, demographics, weather, etc.
23. Risk Assessment – Potential Elements (2) Where are the key actuarial judgment points for each reserve?
Development patterns, loss ratios, price changes
Has actuarial professions “Statement of Principles” been considered?
Data organization, homogeneity, credibility, frequency and severity, etc.
Where are the key management judgment points for each reserve?
Adjustments, bulk loadings, etc.
What spreadsheets are used in the testing of reserves
Cell formulae, manual changes
SAP vs. GAAP differences
24. Control Activities – Potential Elements Documented Processes
Data Reconciliation
Checklist of Procedures
Approval of Deviations
Documentation of Judgments
Documentation of External Inputs
Peer Reviews
Does someone outside the reserve process verify completion of all procedures control activities - the point with the label "documented processes" is that these control activities need to be documented, right? but it's not just about documentation -- the control activity needs to occur, and then evidence be available (e.g., documentation) to demonstrate the control procedure was done.
control activities - the point with the label "documented processes" is that these control activities need to be documented, right? but it's not just about documentation -- the control activity needs to occur, and then evidence be available (e.g., documentation) to demonstrate the control procedure was done.
25. P/C Reserving Process – What Do You Have to Do Document the Reserving Process
Prerequisite to Identifying Points of Risk – Roadmap is Needed
Scope, Data Collection/Evaluation, Methods/Assumptions, Review Procedures, Bridging between Actuarial and Recorded
“How Much is Enough” Varies Among Companies
Identify Points of Risks
Design Control Activities or Identify Existing Control Activities to Mitigate Risks
Document the Control Activities and their Function
Monitor Effectiveness of Control Activities over Time
26. Other Control Components – Potential Elements Information & Communication
Input into reserving process – Are there control processes established for input into the reserving processes?
Loss and Premium Data
Ceded Reinsurance
Input of Pricing, Underwriting, Claims into Process
Output of reserving process – Communicating results to senior management
Is there a formal delivery package for reserve results each quarter?
What is lead actuary’s role in approving recorded reserves?
Monitoring
Are exceptions or surprises evaluated?
Were there controls in place?
Why were those controls not effective?
Are post-mortem meetings conducted?
Is input from those outside of the reserving process (e.g., top management, third party actuaries, external and internal auditors) considered in re-evaluations of the process?
27. Internal Controls Maturity Framework Level 1 – Unreliable
Unpredictable environment where control activities are not designed or in place
Level 2 – Informal
Disclosure Activities and Controls are designed and in place but are not adequately documented
Controls mostly dependent on people
No formal training or communication of control activities
Level 3 – Standardized
Control activities are designed and in place
Control activities have been documented and communicated to employees
Deviations from control activities will likely not be detected
Level 4 – Monitored
Standardized controls with periodic testing for effective design and operation with reporting to management
Automation and tools may be used in a limited way to support control activities
Level 5 – Optimized
An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise-Wide Risk Management)
Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed The Internal Controls Maturity Framework can be applied to an entire company, a single business unit of a company, a department, a function, or a process. There is flexibility in how it can be used.
In the context of certification requirements:
Many businesses are in the informal state because controls may exist but have not been sufficiently documented.
Even though a company has an internal audit department, they may still be at the “Informal” stage if controls have not been sufficiently documented.
To be ready for an auditor attest (under Section 404), companies should be between Levels 3 and 4. Ideally, at Level 4.
If companies are at the highest Level, #5, then it is likely that they could submit a sufficient certification at any time during the year. They typically have a sophisticated, integrated real-time system of assuring changing risks and monitoring controls year-round.The Internal Controls Maturity Framework can be applied to an entire company, a single business unit of a company, a department, a function, or a process. There is flexibility in how it can be used.
In the context of certification requirements:
Many businesses are in the informal state because controls may exist but have not been sufficiently documented.
Even though a company has an internal audit department, they may still be at the “Informal” stage if controls have not been sufficiently documented.
To be ready for an auditor attest (under Section 404), companies should be between Levels 3 and 4. Ideally, at Level 4.
If companies are at the highest Level, #5, then it is likely that they could submit a sufficient certification at any time during the year. They typically have a sophisticated, integrated real-time system of assuring changing risks and monitoring controls year-round.
28. Questions For Company Actuaries From a big picture, company actuaries need to ask themselves . . .
Are there adequate controls in place around the actuarial reserving process that impact financial reporting?
What does the internal control structure look like and how does it operate?
Are these controls formal or informal?
Are they documented and current?
Are they monitored and tested?
Who is accountable?
29. Questions For Company Actuaries (2) From a big picture, company actuaries need to ask themselves . . .
How will management assess the ongoing effectiveness of controls?
How are control issues tracked and evaluated?
What are the critical control activities?
How will I demonstrate that I have reviewed the controls every quarter?
What actuarial outputs impact the financial statements and footnotes?