Title: Leveraging the COSO Framework to Meet Section 404 Requirements
1Leveraging the COSO Framework to Meet Section
404 Requirements
- The Institute of Internal Auditors
- Webcast Series on Sarbanes-Oxley Act
- July 8, 2003
- 100 230 pm Eastern Time
2The IIA Webcast Moderator
- Jim Key, CIA
- Managing Partner
- Shenandoah Group, L.L.P
3Disclaimer
- The views expressed in this web cast are
solely those of the panelists and moderators and
do not necessarily reflect the views or policies
of the Institute of Internal Auditors or its
directors, officers, employees, and members.
4The Webcast Series on the Sarbanes-Oxley Act
- Series 1 Fostering Compliance with SOA
- Internal Auditors Role
- Four sessions archived on website and available
on CD - To purchase contact Alex at Agoodman_at_theiia.org
5Series 2 Emerging Trends and Best Practices in
Implementing SOA
- May 21 - Section 404 Readiness Review How to
document your system of internal control.
(Archived) - June 10 - Helping your audit committee implement
complaint handling. (Archived) - July 8 - Leveraging the COSO framework to meet
Section 404 requirements - August 12 - Project Administration Setting and
revising priorities in the wake of the Final 404
Rules - September 9 - Internal Audit support of Audit
Committees What works best - September 30 - The Road Ahead Meeting the
challenges in complying with The Sarbanes-Oxley
Act
6Sarbanes-Oxley Implications and Impact for
Internal Audit
- Seminar Offering 2.5 Days
- Chicago, July 30
- Seattle, August 4
- West Palm Beach, August 25
- Phoenix, September 10
- San Francisco, September 24
- Orlando, December 10
- New York, December 17
7Other Resources
- IIA Web Page www.theiia.org
- Click on Guidance
- Click on Tools and Resources for Corporate
Governance - IIA Position Papers
- Responses to exposure drafts
- IIA Research Foundation Master Key Series
- The Sarbanes-Oxley legislation
- Stock listing exchanges key requirements
8Management Assessment of Internal Controls (404)
- Requires the SEC to prescribe rules to
- State the responsibility of management for
establishing and maintaining adequate internal
control structure and procedures for financial
reporting, and - Contain an assessment of effectiveness of the
internal control structure and procedures for
financial reporting
9SEC Final Rules
- Management's Reports on Internal Control Over
Financial Reporting and Certification of
Disclosure in Exchange Act Periodic Reports - Release Date June 5, 2003 (33-8238)
- Effective Date August 14, 2003
- Evaluation of Internal Control over Financial
Reporting within the context of COSO framework
10Agenda
- 100 Welcome and Overview
- 110 Soft Controls Bruce Adamec
- 120 Control Activities Ray Lukas
- 130 Monitoring Andrew Bellenkes
- 140 Break
- 145 Questions and Answers Panel
- 225 Wrap up Jim Key
11Soft Controls
- Bruce Adamec, CPA, CIA
- Vice President and General Auditor
- United Stationers Inc.
12Soft Controls
- Control Environment
- Risk Assessment
- Information Communication
13The Goal is Reliable Financial Results and
Safeguarding Assets Are Soft Components
Important?
- Commissioner Paul S. Atkins, SEC,
-
- Rocky Mountain Securities Conference Denver,
Colorado, May 30, 2003 - A long standing risk management principle is
the importance of corporate culture and tone
from the top. A CEOs tolerance, or lack of
tolerance of ethical misdeeds and a CEOs
philosophy of business conveys a great deal
throughout the organization. The role of
directors is to monitor and oversee that
situation on behalf of stockholders. -
-
14The Goal is Reliable Financial Results and
Safeguarding Assets Are Soft Components
Important?
- Commissioner Cynthia Glassman, SEC,
- Federal Reserve Bank of Chicago May 9, 2003I
cant walk away from any discussion of corporate
governance without stressing that the most
important aspect of reform comes from market
participants working proactively to foster an
ethical culture in business. -
-
15Why We Should Care About Soft Controls Even
Without Sarbanes Oxley!
- Howard Shilit, Smart Money, July 2003,
- Bad people, in business model with a nice
story, will somehow find a way to destroy the
businessBut with honest people running the
companytheyll be able to navigate through the
tough times and the company wont blow it.
16404 Evaluation
- Clear Understanding of Soft Components
- Infrastructure Evaluation Hard Activities for
Soft Components - Evaluation of How Well The Soft Components Are
Working to Ensure Financial Statement
Reliability, Safeguarding Assets
17What Do COSO Components Mean?
- Control Environment Organizations Ethics, Tone
At Top, Management Philosophy and Style,
Commitment to Competence Management Culture - Risk Assessment How Organization Routinely IDs
and Manages Risks Goals and Obstacles - Information and Communication Identifying,
Capturing, and Communicating Relevant Data in a
Form and Time Frame To Meet Associates,
Investor, and Board of Directors (Governance)
Needs
18Infrastructure EvaluationHard Activities For
Soft Components
- Management Culture Code of Ethics, Human
Resources Practices - Goals and Obstacles Objectives, Financial
Planning and Analysis, Hard-Coded Response
Systems (Law, Finance, HR Department) - Communication Information Clear
Authority/Responsibility Lines, Standard
Financial Close/Reporting Practices, Disclosure
Controls, Whistleblower Process, Open Door
Policies
19What Do COSO Components Mean?
- Control Environment Organizations Ethics, Tone
At Top, Management Philosophy and Style,
Commitment to Competence Management Culture - Risk Assessment How Organization Routinely IDs
and Manages Risks Goals and Obstacles - Information and Communication Identifying,
Capturing, and Communicating Relevant Data in a
Form and Time Frame To Meet Associates
20Infrastructure EvaluationHard Activities For
Soft Components
- Management Culture Code of Ethics, Human
Resources Practices - Goals and Obstacles Objectives, Financial
Planning and Analysis, Hard-Coded Response
Systems (Law, Finance, HR Department) - Communication Information Clear
Authority/Responsibility Lines, Standard
Financial Close/Reporting Practices, Disclosure
Controls, Whistleblower Process, Open Door
Policies
21Evaluation of How Well the Soft Components Are
Working
- Possible Methods -
- Internal Control Questionnaires
- Control Self Assessments
- Survey Employees, Management Assesses Survey
Results
22Company-wide Framework
Awareness
Surveys
Control Self Assessments
Interviews
Knowledgeable Fact-based Assertions
Complete Continuous Monitoring
Action Plans
404 Certifications
Identification
23More Information on Survey Method
- Internal Reflections, The Internal Auditor,
December 2002, Pp. 56-63 - Internal Audits Role in Corporate Governance
Sarbanes Oxley Compliance, IIA Website (IIARF
Master Key) - ALLTel Control and Risk Assessment
- El Paso Internal Control Assessment Survey
24Control Activities
- Ray Lukas, CPA
- Director , Global Risk Management Solutions
- PricewaterhouseCoopers
25Control Activities
- Control Activities
- Policies and procedures that ensure management
directives are carried out. - Range of activities including approvals,
authorizations, verifications, recommendations,
performance reviews, asset security and
segregation of duties.
26Integration With Risk Assessment
- Along with assessing risks, management should
identify the actions needed to address identified
risks. - These actions serve to focus attention on the
control activities needed to ensure that such
actions are appropriately carried out in a timely
manner
27Integration With Risk Assessment
- Control activities are the means by which an
enterprise strives to achieve its stated business
objectives - Control activities serve as the primary mechanism
used by management to monitor performance to
achieve business objectives, and - Control activities are more effective when built
directly into the management process
28Types of Control Activities
- Numerous types of control activities, including
- Preventative controls
- Detective controls
- Manual controls
- Computer controls, and
- Management controls
- Control activities usually involve two distinct
elements - Policy that establishes what should be done,
and - Procedures that entail specific actions to be
taken to comply with the policy
Essential element of control activities/procedures
performed is that issues identified as a result
of such procedures be investigated and
appropriate corrective actions taken
29Types of Control Activities
- Control Activities are performed by personnel at
various levels in the organization - Top Level Review Actual performance to budget
and forecast - Direct Functional or Activity Management daily,
weekly an/or monthly review of performance by
direct reports (supervisors managers) - Information Processing controls designed to
check accuracy, completeness and authorization of
transactions
30Types of Control Activities
- Control Activities are performed by personnel at
various levels in the organization (continued) - Physical Controls Physical security and
periodic counting of hard assets (Cash,
Inventory, equipment, etc.) - Performance Indicators Analytical reviews,
where differences are investigated and corrective
actions taken, and - Segregation of Duties Incompatible duties are
separated among different people to reduce risk
of error or inappropriate actions
31Application to Sarbanes 404
Optimized
Monitored
Standardized
Informal
Unreliable
-
-
Control activities
Unpredictable
-
Standardized
-
Control activities
-
Integrated
controls with
environment
are designed, in
are designed
internal controls
periodic testing
where
place and are
and in place but
with real time
for effective
control
are not
adequately
monitoring by
design and
adequately
activities are
documented
management
operation with
documented
not designed
and continuous
reporting to
or in place
improvement
management
- Level 1 Unreliable
- Unpredictable environment where control
activities are not designed or in place - Level 2 Informal
- Disclosure Activities and Controls are designed
and in place but are not adequately documented - Controls mostly dependent on people
- No formal training or communication of control
activities - Level 3 Standardized
- Control activities are designed and in place
- Control activities have been documented and
communicated to employees - Deviations from control activities will likely
not be detected - Level 4 Monitored
- Standardized controls with periodic testing for
effective design and operation with reporting to
management - Automation and tools may be used in a limited way
to support control activities - Level 5 Optimized
- An integrated internal control framework with
real time monitoring by management with
continuous improvement (Enterprise Wide Risk
Management) - Automation and tools are used to support controls
activities and allow the organization to make
rapid changes to the control activities if needed
Management 404 Internal Control Assertion
32Application to Sarbanes 404
33Monitoring
Andrew Bellenkes, CPA Senior Auditor VF
Corporation
34COSO Model - Monitoring Component
Ongoing Monitoring - Management, supervisory, and
other monitoring activities in the ordinary
course of operations that assess the quality of
internal controls Separate Monitoring -
Evaluation focusing directly on system
effectiveness with a scope and frequency
dependent on the assessment of risks, and ongoing
monitoring Reporting Deficiencies - Upstream
reporting of internal control deficiencies, with
certain matters reported to top management and
the board
35SEC Final Ruling - Monitoring
Points of Focus...
- Recognized control framework must be used as the
basis of evaluation - Sufficient procedures to evaluate the design and
the test of internal controls over financial
reporting - Evidentiary matter must be maintained
- Quarterly evaluation of changes to internal
controls over financial reporting - Certifications mandated by Sections 302 and 906
of the Sarbanes-Oxley Act as exhibits to annual,
semi-annual and quarterly reports must be filed
36Monitoring Component
- VF Hybrid Model
- Goals Objective Setting
- Monitoring Assessment
- COSO Model
- Risk Assessment
- Monitoring
37Essential Elements of Effective Monitoring
- Scope Changes
- Evidentiary Support
- - SEC Rules
- - Archiving, Record Retention,
- Rollover to the Next Period
- Training
- Internal Audits Role
- Extent/Vigor of Quarterly Assessments
38Roles in Monitoring Controls
Project Office
Internal Audit
Asian Business Units
Domestic Americas Business Units
European Business Units
Corporate Controllers Office
39Roles in Monitoring Controls
Project Office/Internal Audit/Corporate
Controllers Office
- Project Office
- Corporate Communication
- Training
- Systems Administration (for internal controls
documentation database used) - Internal Audit
- Review of Self-Testing by the Business Units
- Coordination and Performance of Testing (for
external audit reliance, except for exempt areas)
40Roles in Monitoring Controls
Project Office/Internal Audit/Corporate
Controllers Office
- Corporate Controllers Office
- Policies and Procedures Statements
- Internal Control Design and Implementation
- Technical Guidance
41Roles in Monitoring Controls
the Organization
VF Risk Committee Corporate CFO - Chair
Project Office General Auditor, Corporate
Controller, Internal Audit, Finance
Issue resolution Ownership of
final accounting determinations
External Advisory
VF Intimates BU Owner BU Coordinator
VF Corporate BU Owner BU Coordinator
VF Jeanswear BU Owner BU Coordinator
VF Outdoor BU Owner BU Coordinator
VF Europe BU Owner BU Coordinator
VF ASIA /GSO BU Owner BU Coordinator
VF Services FI/HR BU Owner BU Coordinator
VF Imagewear BU Owner BU Coordinator
VF IS/IT BU Owner
Acquisition(s)?
42Roles in Monitoring Controls
VF Europe
VF Risk Committee Corporate CFO - Chair
Project Office General Auditor, Corporate
Controller, Internal Audit, Finance
VF Europe BU Owner BU Coordinator
UK Location Coordinator
Italy Location Coordinator
Belgium Location Coordinator
Malta Location Coordinator
Germany Location Coordinator
Poland Location Coordinator
43Ongoing Monitoring
VF Methodology
- Ongoing Business Unit testing
- Integrated internal audit approach to test
Business Unit compliance with Section 404 vs.
Stand- alone audits of Accounting and Financial
Reporting internal controls - Quarterly certifications from Business Unit CFOs
and CIOs
44Summary
- Analysis and assessment of soft controls is as
critical as analysis and assessment of hard
controls. - Need for evaluation controls that span all five
components of COSO. - Business unit management owns the monitoring
function.