240 likes | 312 Views
“ Convergence, Communication and Interactive Data” December 3-6, 2007 Vancouver, British Columbia, Canada. Internal Reporting Track XBRL application to Internal Controls December 4th, 2007 Yuji Furusho CISA (Certified Information Systems Auditor) Fujitsu Limited. Background.
E N D
“Convergence, Communication and Interactive Data” December 3-6, 2007 Vancouver, British Columbia, Canada
Internal Reporting Track XBRL application to Internal Controls December 4th, 2007 Yuji FurushoCISA (Certified Information Systems Auditor)Fujitsu Limited
Background Annual documentation and evaluation of Internal Controls are “formal activities” for listed companies in the following countries: U.S. - Sarbanes and Oxley Act (so-called SOX) Canada - Bill-198 / Regulation 52-109 Japan - Financial Products Exchange Act (so-called J-SOX) Korea, France, etc. Evaluation of Internal Controls in accordance with the significance of the impact on the financial statements is key. This means that evaluation of the internal controls should be consistent with the significance of related accounts, and therefore consistent with the ultimate impact in the financial statements. - 1 -
Basic Idea 1 • Enterprise Model – connecting FS, GL, and business process • Sales Process • - Head Quarter • related accounts: • (n) risk • (n) control • ┆ Financial Statement (PL) sales (BS) A/R (BS) inventory ┆ (PL) sales General Ledger Hardware sales Maintenance sales ┆ ┆ ┆ Software sales A/R - Software Software sales • Sales Process • - North Region • related accounts: • (n) risk • (n) control • ┆ Software sales A/R - Software - 2-
Basic Idea 2 • Internal Control Taxonomy to handle non-financial business process information. • Definition of “Control Objective”, “Risk”, and “Control Activity” in a business process. • “Design effectiveness”, “Operational effectiveness”, and “Remediation plan/status” as values. • Utilization of “COSO elements” • For comprehensive Risk/Control identification. • For focusing not only “Risk” but also “Opportunity”. - 3 -
Internal Control Taxonomy Architecture Fixed elements process location related acct COSO elements (n) subprocess Company Extension Internal Control Dimension coso: activity F,O,C F,O,C,S (n)control objective (n)control objective assertion (n)risk (n)risk related assertion (n)control activity (n)control activity Instance Document result (score) issue remediation key control result (narrative) status ・incomplete evidence ・control exception (exception on approval, processing, etc.) - 4 -
COSO Taxonomy – activities in COSO tool • 25 activities illustrated in COSO tool. 1/Activity : INBOUND 2/Activity : OPERATIONS 3/Activity : OUTBOUND 4/Activity : MARKETING AND SALES 5/Activity : SERVICE 6/Activity : PROCUREMENT 7/Activity : TECHNOLOGY DEVELOPMENT 8/Activity : HUMAN RESOURCES 9/Activity : MANAGE THE ENTERPRISE 10/Activity : MANAGE EXTERNAL RELATIONS 11/Activity : PROVIDE ADMINISTRATIVE SERVICES 12/Activity : MANAGE INFORMATION TECHNOLOGY 13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS 15/Activity : PLAN 16/Activity : PROCESS ACCOUNTS PAYABLE 17/Activity : PROCESS ACCOUNTS RECEIVABLE 18/Activity : PROCESS FUNDS 19/Activity : PROCESS FIXED ASSETS 20/Activity : ANALYZE AND RECONCILE 21/Activity : PROCESS BENEFITS AND RETIREE INFORMATION 22/Activity : PROCESS PAYROLL 23/Activity : PROCESS TAX COMPLIANCE 24/Activity : PROCESS PRODUCT COSTS 25/Activity : PROVIDE FINANCIAL AND MANAGEMENT REPORTING - 5 -
Basic Idea 3 • Using element / value to “link” taxonomies; • FR taxonomy and GL taxonomy “xbrlinfo” elements in GL taxonomy • GL taxonomy and IC (Internal Control) taxonomy “relatedAccount” element in IC taxonomy FR sales: GL xbrlinfo: taxonomy instance sales: “682,xxx” xbrlinfo: “sales” GL accountMainID: IC relatedAccount: taxonomy instance accountMainID: “EX00100” relatedAccount: “EX00100” - 6 -
Implementation Model • The following “FS – GL (Trial Balance) – IC” model has been adopted for Proof-of-Concept. Financial Statement (PL) sales (BS) A/R (BS) inventory ┆ General Ledger ┆ Journal Entry ┆ aggregation location definition Internal Control location x process related accounts (n) risk (n) control ┆ Trial Balance (by location) (PL) sales (BS) A/R (BS) inventory ┆ acct-process mapping Definition using Dimensional Taxonomy - 7 -
IC Taxonomy Architecture 1 • Overall Structure • Process Information • Process • Location • Related Accounts etc. 1 • Sub-Process Information • Control Objective • Risk • Control Activity • Key Control etc. n • Evaluation and Remediation • Design Effectiveness • Operational Effectiveness • Remediation Plan • etc. 1 1 - 8 -
IC Taxonomy Architecture 2 • “Process Information” section Process Information 【Sample】 process Sales Process location Software Service Dept. related accounts Sales, Account Receivable - 9 -
IC Taxonomy Architecture 3 • “Sub-Process Information” section : COSO elements activity sub-activity control objective risk control activity (sample) PROCESS ACCOUNTS RECEIVABLE - Accurately recordall authorized salesreturns andallowances and onlysuch returns andallowances Inaccurate input of data Mail customer statementsperiodically and investigate andresolve disputes or inquiries, byindividuals independent of theinvoicing function section risk control activity - financial reporting - operation - compliance • risk ID • risk • control ID -control • control method (manual/auto) • evidence/related documents assertion section assertion - safeguarding asset - 10 -
IC Taxonomy Architecture 4 • “Sub-Process Information” section – “risk” - 11 -
IC Taxonomy Architecture 5 • “Sub-Process Information” section – “control activity” - 12 -
IC Taxonomy Architecture 6 • “Evaluation and Remediation” section design effectiveness operational effectiveness remediation • - date • - person in charge of evaluation • results - score • results - narrative • - date • - person in charge of evaluation • population • number of samples • results - score • results - narrative • - person in charge of evaluation • summary • due date key control - yes / no (Boolean) - 13 -
IC Taxonomy - Technical Consideration • Use of “dimensionItem” • Multi dimension of “Control Objective”, “Risk”, and “Control Activity” • Use of Reference Link • Use of “part element”, setting Boolean value; • Control objective: F/R, O/R, C, S/A • Assertion: Ex, C, R/O, Ev, A/C, P/D • Type of Control: Manual, Automatic assertion – E/O Risk Reference Link - yes / no (Boolean) - 14 -
Merit of Enterprise Model • Consistent and effective risk management for Financial Reporting by balancing financial risk significance and control importance. FR to GL GL to IC - 15 -
Merit of Enterprise Model - Scenario 1 • Identify and understand internal control implications on significant accounts – (Where and what kind of issues, etc.) Financial Statement ▷ ▷ ▷ Internal Control 75% A/R Location A: A/R 15% Location B: A/R - 16 -
Merit of Enterprise Model - Scenario 2 • Identify and understand accounts affected by internal control issues. Internal Control ▷ ▷ ▷ Financial Statement 75% Location A: A/R A/R deficiencies 15% Location B: A/R - 17 -
Merit of XBRL application • Flexible definition and evaluation through taxonomy. • Relationship among “Control Objective”, “Risk”, and “Control Activity” using dimensional model • Evaluation of “Control Objective” and “Control Activity” relationship, skipping “Risk” element, or evaluation of “Risk” and “Control Activity” relationship, skipping “Control Objective” • “Risk” or “Control Activity” evaluation with respect to specific “Control Objective” • A company may want to focus on “Financial Reporting” objective, while other may want to include “Operational Effectiveness” objective. • Identification of compensating controls • “Control Activity” relevant to “Risk” by evaluating “Related Assertion” - 18 -
Merit of XBRL application 1 - dimensional model • Dimensional definition of “Control Objective”, “Risk”, and “Control Activity”. - 19 -
Merit of XBRL application 2 - focusing on “Control Objective” • Flexible evaluation of “Risk” and “Control Activity” focusing on “Control Objective” – Company may want to focus on “Financial Reporting” for SOX auditing purpose. COSO Taxonomy “part” element Financial Reporting - yes / no (Boolean) Control Objective Reference Link Operational Effectiveness - yes / no (Boolean) Compliance - yes / no (Boolean) Company Extension “part” element Safeguarding Asset - yes / no (Boolean) Control Objective Reference Link - 20 -
Control 2 – non-key Risk Control 1 - key E/O E/O E/O C C C V/A V/A V/A R/O R/O R/O P/D P/D P/D Y Y Y Y Y Y - - Y - - - - - - assertion related assertion related assertion Merit of XBRL application 3 – compensating control • Compensating controls may be identified through “assertion” attributes assigned to “Risk” and “Control Activity”. • In cases of effectiveness failure of key controls, compensating controls may be identified along with assertions assigned to them. failure Find “Compensating control” - 21 -
Questions? Yuji Furusho yfurusho@jp.fujitsu.com +81-3-6424-6227 THANK YOU!