440 likes | 601 Views
Leveraging the COSO Framework to Meet Section 404 Requirements. The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act July 8, 2003 1:00 – 2:30 pm Eastern Time. The IIA Webcast Moderator. Jim Key, CIA Managing Partner Shenandoah Group, L.L.P. Disclaimer.
E N D
Leveraging the COSO Framework to Meet Section 404 Requirements The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act July 8, 2003 1:00 – 2:30 pm Eastern Time
The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L.L.P
Disclaimer The views expressed in this web cast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees, and members.
The Webcast Series on the Sarbanes-Oxley Act Series 1: Fostering Compliance with SOA: Internal Auditor’s Role • Four sessions archived on website and available on CD • To purchase contact Alex at Agoodman@theiia.org
Series 2: Emerging Trends and Best Practices in Implementing SOA • May 21-Section 404 Readiness Review: How to document your system of internal control. (Archived) • June 10 -Helping your audit committee implement complaint handling. (Archived) • July 8 -Leveraging the COSO framework to meet Section 404 requirements • August 12 -Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules” • September 9 -Internal Audit support of Audit Committees – What works best • September 30 -The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act
Sarbanes-Oxley: Implications and Impact for Internal Audit • Seminar Offering: 2.5 Days • Chicago, July 30 • Seattle, August 4 • West Palm Beach, August 25 • Phoenix, September 10 • San Francisco, September 24 • Orlando, December 10 • New York, December 17
Other Resources • IIA Web Page www.theiia.org • Click on Guidance • Click on Tools and Resources for Corporate Governance • IIA Position Papers • Responses to exposure drafts • IIA Research Foundation Master Key Series • The Sarbanes-Oxley legislation • Stock listing exchanges key requirements
Management Assessment of Internal Controls (404) • Requires the SEC to prescribe rules to: • State the responsibility of management for establishing and maintaining adequate internal control structure and procedures for financial reporting, and • Contain an assessment of effectiveness of the internal control structure and procedures for financial reporting
SEC Final Rules • Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports • Release Date: June 5, 2003 (33-8238) • Effective Date: August 14, 2003 • Evaluation of Internal Control over Financial Reporting within the context of COSO framework
Agenda 1:00 Welcome and Overview 1:10 Soft Controls – Bruce Adamec 1:20 Control Activities – Ray Lukas 1:30 Monitoring – Andrew Bellenkes 1:40 Break 1:45 Questions and Answers – Panel 2:25 Wrap up – Jim Key
Soft Controls Bruce Adamec, CPA, CIA Vice President and General Auditor United Stationers Inc.
Soft Controls Control Environment Risk Assessment Information & Communication
The Goal is Reliable Financial Results and Safeguarding Assets – Are “Soft” Components Important? • Commissioner Paul S. Atkins, SEC, Rocky Mountain Securities Conference:Denver, Colorado, May 30, 2003 “A long standing risk management principle is the importance of corporate culture and “tone from the top”. A CEO’s tolerance, or lack of tolerance of ethical misdeeds and a CEO’s philosophy of business conveys a great deal throughout the organization. The role of directors is to monitor and oversee that situation on behalf of stockholders.“
The Goal is Reliable Financial Results and Safeguarding Assets – Are “Soft” Components Important? • Commissioner Cynthia Glassman, SEC, Federal Reserve Bank of Chicago May 9, 2003“I can’t walk away from any discussion of corporate governance without stressing that the most important aspect of reform comes from market participants working proactively to foster an ethical culture in business.”
Why We Should Care About Soft Controls – Even Without Sarbanes Oxley! • Howard Shilit, Smart Money, July 2003, “Bad people, in business model with a nice story, will somehow find a way to destroy the business…But with honest people running the company…they’ll be able to navigate through the tough times and the company won’t blow it.”
404 Evaluation • Clear Understanding of Soft Components • Infrastructure Evaluation – “Hard” Activities for “Soft” Components • Evaluation of How Well The Soft Components Are Working to Ensure Financial Statement Reliability, Safeguarding Assets
What Do COSO Components Mean? • Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture • Risk Assessment – How Organization Routinely ID’s and Manages Risks – Goals and Obstacles • Information and Communication – Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates’, Investor, and Board of Director’s (Governance) Needs
Infrastructure Evaluation“Hard Activities For Soft Components” • Management Culture – Code of Ethics, Human Resources Practices • Goals and Obstacles – Objectives, Financial Planning and Analysis, Hard-Coded Response Systems (Law, Finance,HR Department) • Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies
What Do COSO Components Mean? • Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture • Risk Assessment – How Organization Routinely ID’s and Manages Risks – Goals and Obstacles • Information and Communication – Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates
Infrastructure Evaluation“Hard Activities For Soft Components” • Management Culture – Code of Ethics, Human Resources Practices • Goals and Obstacles – Objectives, Financial Planning and Analysis, Hard-Coded Response Systems (Law, Finance,HR Department) • Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies
Evaluation of How Well the “Soft” Components Are Working Possible Methods - • Internal Control Questionnaires • Control Self Assessments • Survey Employees, Management Assesses Survey Results
of Directors Board Control Internal System Company-wide Framework Awareness Surveys Control Self Assessments Interviews Complete Continuous Monitoring Knowledgeable Fact-based Assertions Action Plans 404 Certifications Identification
More Information on Survey Method • “Internal Reflections”, The Internal Auditor, December 2002, Pp. 56-63 • “Internal Audit’s Role in Corporate Governance: Sarbanes Oxley Compliance”, IIA Website (IIARF Master Key) • ALLTel Control and Risk Assessment • El Paso Internal Control Assessment Survey
Control Activities Ray Lukas, CPA Director , Global Risk Management Solutions PricewaterhouseCoopers
Control Activities • Control Activities • Policies and procedures that ensure management directives are carried out. • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
Integration With Risk Assessment • Along with assessing risks, management should identify the actions needed to address identified risks. • These actions serve to focus attention on the control activities needed to ensure that such actions are appropriately carried out in a timely manner
Integration With Risk Assessment • Control activities are the means by which an enterprise strives to achieve its stated business objectives • Control activities serve as the primary mechanism used by management to monitor performance to achieve business objectives, and • Control activities are more effective when built directly into the management process
Types of Control Activities • Numerous types of control activities, including: • Preventative controls • Detective controls • Manual controls • Computer controls, and • Management controls • Control activities usually involve two distinct elements: • Policy that establishes “what should be done”, and • Procedures that entail specific actions to be taken to comply with the policy Essential element of control activities/procedures performed is that issues identified as a result of such procedures be investigated and appropriate corrective actions taken
Types of Control Activities • Control Activities are performed by personnel at various levels in the organization • Top Level Review – Actual performance to budget and forecast • Direct Functional or Activity Management – daily, weekly an/or monthly review of performance by direct reports (supervisors & managers) • Information Processing – controls designed to check accuracy, completeness and authorization of transactions
Types of Control Activities • Control Activities are performed by personnel at various levels in the organization (continued) • Physical Controls – Physical security and periodic counting of hard assets (Cash, Inventory, equipment, etc.) • Performance Indicators – Analytical reviews, where differences are investigated and corrective actions taken, and • Segregation of Duties – Incompatible duties are separated among different people to reduce risk of error or inappropriate actions
Application to Sarbanes 404 Unreliable Informal Standardized Monitored Optimized - Unpredictable - Control activities - Standardized - Control activities - Integrated controls with environment are designed are designed, in internal controls periodic testing where and in place but place and are with real time for effective control are not adequately monitoring by design and activities are adequately documented management operation with not designed documented and continuous reporting to or in place improvement management • Level 1 – Unreliable • Unpredictable environment where control activities are not designed or in place • Level 2 – Informal • Disclosure Activities and Controls are designed and in place but are not adequately documented • Controls mostly dependent on people • No formal training or communication of control activities • Level 3 – Standardized • Control activities are designed and in place • Control activities have been documented and communicated to employees • Deviations from control activities will likely not be detected • Level 4 – Monitored • Standardized controls with periodic testing for effective design and operation with reporting to management • Automation and tools may be used in a limited way to support control activities • Level 5 – Optimized • An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise Wide Risk Management) • Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed Management 404 Internal Control Assertion
BUSINESS PROCESS FOCUS AREA Invoicing Control Noted Control Objective Control? Control Activities/Procedures Completeness of Input: All appropriate data are entered into the system and accepted for processing. Data rejected by the system are reported, investigated, corrected and re-entered. What ensures that a service invoice is generated for service provided? What ensures that a services provided cannot be invoiced twice? Y Every night there is a manual reconciliation of the number of Service Appointments that day to the number of appointments invoiced. This is part of the balancing procedures performed by the data center over nightly batch jobs. Approximately 70% of these invoices are transmitted to the customers electronically via EDI. A manual reconciliation is done to check that all invoices sent to EDI were received by EDI. EDI customers must acknowledge that they have received invoices. If customer acknowledgements are not received, the analysts follow up with the customers. The remaining 30% of the invoices are sent through regular mail. Y N N There is a programmed procedure that will only allow to invoice a customer for the services described on the bill. An invoice will not be generated for that appointment until the services on the bill agree to the service on the schedule logging system. Through a programmed procedure, invoices are priced using the contract assigned to that customer or the default price assigned to that customer in the customer contract pricing database. However, anyone that can manually enter a service provider can manually enter a different fee, thus overriding the contracted fee arrangement. There is a programmed procedure that will only allow to invoice a customer for the services on the bill. However, there is no control to ensure that all services provided were logged on to the service invoice. Accuracy of Input: All errors in data are detected when recorded, accepted by the system, or converted to system-readable format. What ensures that the fee and amount of the services provided are correct? What ensures that the invoice represents the actual services provided? Application to Sarbanes 404
Monitoring Andrew Bellenkes, CPA Senior Auditor VF Corporation
COSO Model - Monitoring Component Ongoing Monitoring - Management, supervisory, and other monitoring activities in the ordinary course of operations that assess the quality of internal controls Separate Monitoring - Evaluation focusing directly on system effectiveness with a scope and frequency dependent on the assessment of risks, and ongoing monitoring Reporting Deficiencies - Upstream reporting of internal control deficiencies, with certain matters reported to top management and the board
SEC Final Ruling - Monitoring Points of Focus... • Recognized control framework must be used as the basis of evaluation • Sufficient procedures to evaluate the design and the test of internal controls over financial reporting • Evidentiary matter must be maintained • Quarterly evaluation of changes to internal controls over financial reporting • Certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to annual, semi-annual and quarterly reports must be filed
Monitoring Component • VF Hybrid Model • Goals & Objective Setting • Monitoring & Assessment COSO Model Risk Assessment Monitoring
Scope Changes Evidentiary Support - SEC Rules - Archiving, Record Retention, Rollover to the Next Period Training Internal Audit’s Role Extent/Vigor of Quarterly Assessments Essential Elements of Effective Monitoring
Roles in Monitoring Controls Project Office Internal Audit Asian Business Units Domestic & Americas Business Units European Business Units Corporate Controller’s Office
Roles in Monitoring Controls … Project Office/Internal Audit/Corporate Controller’s Office Project Office • Corporate Communication • Training • Systems Administration (for internal controls documentation database used) Internal Audit • Review of Self-Testing by the Business Units • Coordination and Performance of Testing (for external audit reliance, except for exempt areas)
Roles in Monitoring Controls … Project Office/Internal Audit/Corporate Controller’s Office Corporate Controller’s Office • Policies and Procedures Statements • Internal Control Design and Implementation • Technical Guidance
Roles in Monitoring Controls … the Organization VF Risk Committee Corporate CFO - Chair Project Office General Auditor, Corporate Controller, Internal Audit, Finance *Issue resolution: Ownership of final accounting determinations External Advisory VF Intimates BU Owner BU Coordinator VF Corporate BU Owner BU Coordinator VF Jeanswear BU Owner BU Coordinator VF Outdoor BU Owner BU Coordinator VF Europe BU Owner BU Coordinator VF ASIA /GSO BU Owner BU Coordinator VF Services FI/HR BU Owner BU Coordinator VF IS/IT BU Owner VF Imagewear BU Owner BU Coordinator Acquisition(s)?
Roles in Monitoring Controls … VF Europe VF Risk Committee Corporate CFO - Chair Project Office General Auditor, Corporate Controller, Internal Audit, Finance VF Europe BU Owner BU Coordinator UK Location Coordinator Italy Location Coordinator Belgium Location Coordinator Germany Location Coordinator Poland Location Coordinator Malta Location Coordinator
Ongoing Monitoring … VF Methodology • Ongoing Business Unit testing • Integrated internal audit approach to test Business Unit compliance with Section 404 vs. Stand- alone audits of Accounting and Financial Reporting internal controls • Quarterly certifications from Business Unit CFOs and CIOs
Summary • Analysis and assessment of soft controls is as critical as analysis and assessment of hard controls. • Need for evaluation controls that span all five components of COSO. • Business unit management owns the monitoring function.