404 Readiness Review: Documenting Your System of Internal Control - PowerPoint PPT Presentation

About This Presentation
Title:

404 Readiness Review: Documenting Your System of Internal Control

Description:

1. 404 Readiness Review: Documenting Your System of Internal Control. The Institute of Internal Auditors. Webcast ... Involved the Controllership function early ... – PowerPoint PPT presentation

Number of Views:122
Avg rating:3.0/5.0
Slides: 37
Provided by: lorion
Category:

less

Transcript and Presenter's Notes

Title: 404 Readiness Review: Documenting Your System of Internal Control


1
404 Readiness Review Documenting Your System of
Internal Control
  • The Institute of Internal Auditors
  • Webcast Series on Sarbanes-Oxley Act
  • May 21, 2003
  • 100 230 pm Eastern Time

2
The IIA Webcast Moderator
  • Jim Key, CIA
  • Managing Partner
  • Shenandoah Group, L.L.P

3
Webcast Series on SOA
  • Fostering Compliance with SOA
  • Internal Auditors Role
  • Four sessions archived on IIAs website and
    available on CD
  • Originally aired January 28 April 15, 2003

4
Webcast Series on SOA - Continues
  • Emerging Trends Best Practices in
  • Implementing SOA
  • Six Sessions archived on IIAs website and
    available on CD
  • May 21 404 Readiness Review Documenting Your
    System of Internal Control
  • June 10 Helping the Audit Committee Implement
    Complaint Handling
  • Remaining sessions with your input will be on
    July 8, August 12, September 9 and September 30

5
Agenda
  • 100 Introductions and Overview
  • 110 Critical Decisions on DocumentingInternal
    Controls - Bill Gassel
  • 120 Implementing Sarbanes-Oxley Sec 404 -
  • Dennis Drent
  • 130 Maintaining Objectivity - Paul Sobel
  • 145 Break
  • 150 Questions and Answers - Panel
  • 225 Wrap up - Jim Key

6
Critical Decisions for Documenting Internal
Controls
  • Bill Gassel, CPA
  • Director of Internal Audit
  • Emerson

7
Chronology
  • Nov 02 Formed core team established goals
    timetable
  • Nov 02 Selected the documentation methodology
    created a pilot questionnaire
  • Dec 02 Conducted pilots at 9 sites worldwide
  • Dec 02 Started on website to facilitate
    documentation collection
  • Jan 03 Led training and documentation rollout
  • Mar 03 Divisions completed documentation
    -(tremendous effort) Internal Audit reviewed for
    sufficiency
  • May 03 Executing the testing plan


8
Key Initial Decisions
  • Documentation decisions made early on
  • Where?
  • What format (narratives, flowcharts,
    questionnaires, or a combination)?
  • What accounts or processes?
  • How much must be documented?
  • Who should certify?
  • Who will own/maintain the documentation?
  • How to train everyone?

9
Location Table
10
Example Documentation
11
Guidance for Control Descriptions
  • Note
  • "Yes" answers require the following criteria
  • 1. Describe the control procedure in detail.
  • 2. Who performs the control (employee title) and
    who reviews it?
  • 3. Frequency of Control (daily, monthly,
    quarterly etc.)
  • 4. Automated system or Manual control.
  • "No" answers require
  • 1. What mitigating controls exist to achieve
    control objective.
  • 2. Who performs mitigating controls how often?
  • 3. If no mitigating controls exist, how will the
    deficiency be fixed?
  • "N/A" answers require
  • 1. Explain 'why' the control does not apply to
    the location.

12
Beneficial Steps
  • Executive management support obtained
  • Involved the Controllership function early
  • Communicated early with KPMG and EY to interpret
    likely standards
  • Standardized the documentation format
  • Used pilot process to gain practical insights
  • Collaborated with internal process experts to
    validate questionnaire focus

13
Beneficial Steps
  • Held central training for all Finance Officers
  • Created an Example Completed ICQ
  • Tailored the questionnaire for smaller and
    international sites
  • Reviewed a majority of the documentation for
    sufficiency
  • Started testing controls 5 months prior to
    year-end (10 12,000 hours of effort) -
    significant locations first

14
Current 404 Considerations
  • Develop Evaluation Methodology with Management
  • Which locations and controls will be tested?
  • Accumulating and aggregating the testing results
  • Broadening the evaluation methodology into ERM
  • Migrating Control Questionnaire platform to CSA
    process
  • Minimizing redundancy of testing between Internal
    and external auditors
  • Availability of qualified staff

15
Steps in Implementing Sarbanes-Oxley Sec. 404
  • Dennis Drent
  • Vice President Internal Audit
  • Nationwide Insurance

16
Implementing Sarbanes-Oxley 404
17
Implementing Sarbanes-Oxley 404
18
2
Develop evaluation strategy including use of
technology
  • CEO friendly technology solution.
  • Lotus Notes database allows for analysis and
    reporting. No flow charts.
  • Used drop-down boxes for everythingwe could.
  • Control and executive owners verses process
    owners.
  • Internal Audit owns the database - the business
    owns the controls.

19
Implementing Sarbanes-Oxley 404
20
Implementing Sarbanes-Oxley 404
21
5
First quarter certification and verification
process completed
  • Control and executive owners certify in database
    - separate verification process.
  • 30 of controls were changed, over 100 controls
    eliminated.
  • Internal Audit administers change questionnaire
    and consults on verification procedures.
  • Results of control certification/verification
    process reported to Disclosure Committee.

22
6
Control scrubbing, gap analysis, and control
evaluation
  • Time to bring in the external auditors - jointly
    define internal control adequacy.
  • At this point, most work performed by external
    auditor will be audit services and therefore
    mitigates independence conflict.

23
Implementing Sarbanes-Oxley 404
24
Implementing Sarbanes-Oxley 404
25
Implementing Sarbanes-Oxley 404
26
Maintaining Objectivity
  • Paul Sobel
  • Vice President, Risk Assessment
  • Aquila, Inc.

27
Corporate Governance Framework
Corporate Stakeholders
Governance Umbrella
Board of Directors
Risk Management
Assurance
Senior Management
Risk Owners
28
Corporate Governance Framework
Sarbanes-Oxley Act
Governance Umbrella
Sec. 404
Sec. 404
Board of Directors
Risk Management
Assurance
Senior Management
Risk Owners
29
Objectivity Standards
  • Internal auditors should have an impartial,
    unbiased attitude and avoid conflicts of
    interest.
  • State of mind
  • Personal feelings or prejudices shouldnt distort
    the facts
  • Cannot act in a management role or make
    management decisions

30
The Audit Process
Audit Phase Approach Audit Evidence
Project Objective Determined in Annual Audit Plan Planning Memo
Risk Assessment Identify/Assess Key Risks Risk Memo/Matrix
Process Design Understand Process and Identify Key Controls Flowcharts Memos
Gap Analysis Evaluate Current vs. Desired State Findings and Recommendations
Process Effectiveness Develop and Execute Testing Plan Testing Results
Gap Analysis Evaluate Current vs. Desired State Findings and Recommendations
Reporting Communicate Results Audit Report
31
The Sarbanes-Oxley 404 Process
Audit Phase Approach Audit Evidence
Project Objective Understand S-O 404 Requirements Project Planning Memo
Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions F/S / Risks / Assertions Linkage
Process Design Understand Processes Identify Key Controls Over Financial Reporting Flowcharts Memos
Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans
Process Effectiveness Develop and Execute Assurance/ Testing Plan Testing Results
Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans
Reporting Update Key Control Effectiveness (Control Owner Assertions) Self Assessments and Audit Reports
32
Maintaining Objectivity
Audit Phase Approach What Can IA Do?
Project Objective Understand S-O 404 Requirements No issues objectives set by 3rd party (SEC)
Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions Make risk judgments must gain mgmt. concurrence
Process Design Understand Processes ID Key Controls Over Financial Reporting Document processes based on mgmt. input and validation
Gap Analysis Evaluate Current vs. Desired State Make judgments validate with mgmt.
Process Effectiveness Develop and Execute Assurance/ Testing Plan Determine what to test and evaluate test results
Gap Analysis Evaluate Current vs. Desired State Make judgments validate with mgmt.
Reporting Update Key Control Effectiveness (Control Owner Assertions) Facilitate/gather assessment results
33
Summary
  • Internal Audit can lead a Sarbanes-Oxley 404
    project
  • Documentation phase is no different than that
    required in an audit
  • IAs objectivity is not impaired if they lead the
    documentation efforts
  • It is important to engage management to validate
    judgments and decisions
  • They must own the results, not IA
  • Communicate consistently with your external
    auditors to ensure they understand how your
    objectivity has not been impaired
  • Its not an objectivity issue its an ownership
    issue!

34
Break
  • 5 min break followed by Poll

35
Questions Answers
  • Email your questions to info_at_tvworldwide.com

36
Webcast Summary
  • Engage management to develop control evaluation
    strategy
  • Work with external auditors to reduce duplication
  • Leverage technology to support process
  • Internal audit can own the process
  • Objectivity is a state of mind
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "404 Readiness Review: Documenting Your System of Internal Control" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!