710 likes | 822 Views
Addressing Sarbanes-Oxley in Manufacturing Organizations. What Does it Mean and How to Become Compliant within the Sarbanes-Oxley Law. Presented By: Andy Vitullo Principal, Logan Consulting. Who is Logan Consulting?.
E N D
Addressing Sarbanes-Oxley in Manufacturing Organizations What Does it Mean and How to Become Compliant within the Sarbanes-Oxley Law Presented By: Andy Vitullo Principal, Logan Consulting
Who is Logan Consulting? • Logan Consulting is a professional services firm committed to helping businesses get the most from their information technology investments. Since 1992, we have been helping companies develop and execute business management and information systems strategies...from ERP selections and implementations to e-business planning to strategic IT applications.
Who is Logan Consulting? • Operating throughout North America, our clients are equally diverse...from global Fortune 100 companies to regional manufacturers...in both process and discrete industries.
BIO: Andy Vitullo • Former Controller, Accounting Manager, Tax Preparer, Auditor. • CPA, State of Ohio • BS, Accounting – • Financial Accountant with over 15 years of experience. • An Implementer of ERP with over 8 Years of Experience.
Agenda • Sarbanes-Oxley Law • 404 Requirements • Considerations for Your Company’s Internal Control Environment • Becoming Compliant with the Law: A phased project approach • Utilizing QAD’s MFG/PROs inherent “PREVENT Controls”
Why Was Sarbanes Oxley Passed • A Perception that Public Companies failed to properly exercise appropriate corporate governance which in turn led to fraudulent activities at certain public companies. • Enron, WorldCom, Tyco, Adelphia, etc… • Most Dramatic Business Legislation in the last 50 years.
Who Does it Apply To? • Any Public Company required to File financial statements with the Securities and Exchange Commission (SEC) • Approximately public equity and debt 17,000 registrants
Focus of Law is on Sections 302 and 404 • Section 302 specifies the CEO and CFO must personally certify they are responsible for internal controls’ and procedures’ design, effectiveness, conclusions, and disclosure • They must disclose significant control changes, deficiencies, weaknesses, and fraud to their audit committee and external auditors • Section 404 mandates that management evaluate and opine on their internal controls in their annual report • The independent auditor must attest to management’s assessment of the effectiveness of financial reporting internal controls and procedures
What are Effective Controls • “A process designed to provide reasonable assurance regarding the achievement of business objectives” * • A process used by people, not an event • Reasonable but not absolute assurance • Business objectives include: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • * Committee of Sponsoring Organizations (COSO)
Selected Related Events • 1985 - Treadway Commission • Report on Fraudulent Financial Reporting • Focus on control environment, codes of conduct, and competence and participation of audit committee • Created Committee of Sponsoring Organizations (COSO) • 1992 - COSO Published “Internal Controls - Integrated Framework” • Defined roles and responsibilities of management • Established framework for establishing, evaluating, monitoring, and reporting on internal controls
Selected Related Events • 2002 - Sarbanes-Oxley Act of July 2002 • Articulates compliance responsibilities for board and management • Relevant sections: • 301 - Procedures for handling complaints of financial problems and potential fraud • 302 - Disclosure certification of quarterly and annual financial reports • 401 - Disclosure of periodic off-balance-sheet transactions, pro-forma income statements, etc. • 404 - Management assessment of financial reporting internal controls • 409 - Real time issuer disclosures • 802 - Criminal penalties for altering documents • 806 - Protection for those who provide fraud evidence
Complying with the Sarbanes-Oxley Law • The SEC specifies that a corporation must select an industry recognized controls framework • The SEC recognizes the most used COSO’s framework • This framework provides structure for an internal controls program • It also is helpful in organizing the evaluation reporting
Additional Information • Audit Requirements Prior to the Act as they relate to Internal Controls • Prior to the Act the focus of an audit of the financial statements has been to provide an opinion on a company’s financial statements and not to report on internal control. Therefore, it is unlikely companies already will possess sufficient, organized documentation to support management’s assessment of the effectiveness of internal control.
Additional Information • A Sarbox Audit is incremental to the Annual External Audit of the Financial Statements. • Incremental Costs are estimated anywhere between 50 to 80 percent of the Standard External Audit. (Source: SEC: Survey of Filing Companies).
404 Overview Requires management evaluation and auditor attestation to the presence and effectiveness of internal controls over financial reporting. • Companies must report annually on internal controls in Form 10K and disclose: • Management’s responsibility for establishing and maintaining internal controls and procedures for financial reporting • Management’s conclusions as to the effectiveness of the internal controls and procedures for financial reporting • A statement identifying the framework used by management to evaluate the effectiveness of internal controls • A statement that independent auditors have issued a separate report attesting to management’s assertions
Impact on your Company 404 Identify financial processes and accounts at Corporate and OpCo levels • Document internal controls • Enterprise level controls • Process/transaction/application level controls Test internal controls and assess effectiveness Establish ongoing monitoring and certification of effectiveness Implement remediation steps if necessary Obtain independent auditor attestation
Financial Statement Assertions 404 • Existence or Occurrence • Completeness • Valuation or Measurement • Rights and Obligations • Presentation and Disclosure
Evaluation of Controls 404 Internal Control Deficiency More than remote likelihood of misstatement of financial statements More than inconsequential in amount * SIGNIFICANT DEFICIENCY: Must be reported to Audit Committee MATERIAL WEAKNESS: Must be referred to in Attestation Report (results in adverse opinion) Results in more than a remote likelihood of material misstatement in financial statements By itself or in combination with other deficiencies * Determined through judgment – there is not a published guideline for this.
Levels of Controls 404 • EXAMPLE ENTERPRISE LEVEL CONTROLS • Corporate Acquisitions Processes • Corporate and Operating Unit Sub Company Certification Process (SOX 302) • Good Audit Committee Processes • Corporate Consolidation Process • Financial Reporting Process • Internal Audit • EXAMPLE TRANSACTION/PROCESS/APPLICATION LEVEL CONTROLS • Quote to Cash Cycle • Record to Report Cycle • Purchase to Pay Cycle • Inventory Production and Control Cycle • Record and Monitor Debt • Calculate Income Taxes • Asset Management - Capitalization • Estimate Self-Insurance Accruals • Assess Assets for Impairment
Suggested Participants in Compliance Project 404 SPONSOR/STEERING COMMITTEE PROJECT OFFICE • CEO • COO • CFO • Audit Committee Representative • IT Representative • Corporate • Operations • Strategic Partners (External Auditor and Services Partner) PROJECT TEAM OPERATING COMPANY • Operating Company Controllers • Director of Financial Reporting • Director of Internal Audit • Director of IT Financial Systems • Functional Managers • Financial Systems • Operational Systems • Individual Contributors
404 Scoping and Planning High-Level Analysis – Identify Significant Accounts and Locations Classify Processes Affecting the Significant Accounts Determine Controls To Document and Test • Routine Data Processes • Non-Routine Data Processes • Estimation Processes
Prototype Processes 404 • Select distinct processes to prototype • Accounts Payable Process • Revenue Recognition Process • Non-routine process • Estimation process Functional managers at operating company will work together with project team Documentation will be basis and template for remaining processes
Training & Education 404 Operating Companies Project Team Training & Education Majority of work to be done by functional managers and individuals at each operating company • Project team will develop training/project materials: • Guidelines • Templates • Reporting requirements Educate operating company participants via road-show training sessions
Documentation 404 Documentation of Process and Internal Controls Detailed documentation to be done after risk assessment and internal control process inventory is complete Uniform basis using common templates and techniques To be done by the process owner at operating company
Evaluation 404 Project team will evaluate controls, documentation and reporting Any control deficiencies will be explored and remedial steps will be taken Communication with External Auditors
Independent Auditors 404 • Independent Auditor Review and Attestation • Ongoing involvement in scoping, planning and training • Required to perform their own testing and assessment • Project team will facilitate information flow and communication
Ongoing Monitoring 404 A comprehensive process will be documented and implemented Primary responsibility at Controller level, reporting up to senior management • Examples include: • Reconciliation reviews • Management reports • Internal audit reviews • Ad hoc monitoring
Considerations for Documenting Controls atthe Process, Transaction, or Application Level • Identify Significant Accounts • Identify the Major Classes of Transactions an Related Process that influence the Significant accounts. • Ask “What can go Wrong” questions • Identify Controls
Identify Significant Accounts • An Account is significant if it can contain errors of importance in managements judgment • Factors to Consider in Determining if an Account is Significant • Size and Composition of the account including its susceptibility to loss or fraud. • Volume of activity and the homogeneity of the transactions processed through the account. • Subjectivity in determining the account balance. • Nature of Account: Suspense accounts generally require greater attention. • Accounting and Reporting complexities associated with the account. • Existence of Related Party transactions.
Significant Accounts Example • Allowance for Doubtful Accounts • Generally considered a significant account separate from accounts receivable since balances that affect the allowance account are based on management estimation processes rather than on routine transactions (i.e. sales and cash receipts)
Identify the Major Classes of Transactions an Related Process that influence the Significant accounts. • Correlate Business Processes to Significant Accounts (i.e., Segregate Inventories between purchasing, WIP, distribution of FG, maintenance) • Categorize Transaction Types as: • Routine – ( Sales, Cash Receipts, Payroll) • Non-Routine – (Physical Inventory, Calc Deprecation, Adjusting Foreign Currencies) • Estimation – Involves Management Judgment and has no precise means of measurement ( Allowance for Doubtful Accounts, Warranty Reserves, Assessing Assets for Impairment)
Routine Transactions • Typically automated in our ERP systems. • IT Dependent • Management Reliance on programmed controls • Routine Transactions will still have inherent risk if the company fails to enforce “segregation of duties”.
Non-Routine Transactions • Generally are manual operations involving management judgment. • Accuracy indirectly dependent upon data elements from the computerized process. • Management Still dependent upon IT to understand the flows of transactions.
Documentation Considerations for Routine and Non-Routine Transactions. • Documentation should consider how transactions are initiated, recorded, processes and reported. • Process Models, Flowcharts, Procedure Manuals, Job Descriptions, Documents and Forms should be the foundation document for these transactions.
Concentrate on Documenting: • Major Data Input Sources • Important Data Files (customer and price master) • Processing Procedures • Output files, reports, and records. • Functional Segregation of Duties. • The Primary Purpose of this Documentation is to help identify where errors or fraud can occur.
Interaction of Significant Accounts and Business Processes • ..\Interaction of Significant Accounts and Business Processes.xls
What Can Go Wrong • Use the prism of Financial Statement Assertions in identifying errors. The assertions are: • Existence – of and asset or liability • Occurrence – an event to place • Valuation – of the transaction at the appropriate amount • Completeness- all transactions are recorded • Rights and Obligations – legal title exist for the assets. • Presentation and Discloser – a transaction is properly classified and disclosed in the Financial Statements.
Considerations for Documenting Controls • Documentation of Controls is Sufficient when: • Specifies “what can go wrong” in the transaction stream and thus where the controls are needed. • Describes the relevant prevent and detect controls that are responsive to the what can go wrong question. • States who performs the controls.
Validate the Control • Through Walk through/ Audit of the transaction and control steps. • Assure all control steps are followed • Document the results. • Does process need stronger controls?
Outside Resources • Most Large Consulting firms are booked supporting the Large and Intermediate size companies for Sarbox Compliance.
Internal Control Project Phases Manage Project Internal Controls Enhancement - Operations ) - Financial Reporting ) *One or All - Compliance ) Internal Controls Evaluation Assure Quality
Becoming Compliant: A Project Approach • Plan the Project (2 Phases) • Internal Control Evaluation Phase • Internal control Enhancement Phase • Define the Project Organization • Assess the control Environment • Prepare Project Results
I. Plan Project • Establish a shared vision of the project phase • Set objectives and deliverables • Define scope - select objective categories • Confirm work program, timing, and roles • Determine project phase risks, mitigation approach, and expectations • Complete project phase arrangements • Schedule key date • Notify organization Internal Controls Evaluation
II. Define Project Organization • Determine if both Disclosure Committee and Internal Audit are required • Determine if CEO and CFO will also be the Project Management team • Establish Project Management Team • Select leaders and participants • Estimate required time and timing • Arrange for the participants’ time and timing • Train participants in Sarbanes-Oxley Act, COSO Framework, etc. Internal Controls Evaluation
II. Define Project Organization Internal Controls Evaluation Board/Audit Committee Disclosure Committee CEO and CFO Internal Audit Project Management Team Project Leader(s) Project Team
III. Assess Control Environment • Determine project phase scope by looking at the organization’s industry, size, complexity, organization, and locations • Define levels of deficiency and weakness • Conduct Environment Survey for intangibles: • Code of conduct including integrity and ethical values • Active compliance program • Commitment to competence and training • Communicating the importance and awareness of internal controls • Management philosophy and operating style • Established channels of communication